diff --git a/pkgs/development/tools/packet-sd/default.nix b/pkgs/development/tools/packet-sd/default.nix
index 5f61b584489c..a1418df2cc3a 100644
--- a/pkgs/development/tools/packet-sd/default.nix
+++ b/pkgs/development/tools/packet-sd/default.nix
@@ -1,4 +1,9 @@
-{ buildGoModule, fetchFromGitHub, lib }:
+{ buildGoModule
+, fetchFromGitHub
+, fetchpatch2
+, lib
+}:
+
 buildGoModule rec {
   pname = "prometheus-packet-sd";
   version = "0.0.3";
@@ -7,9 +12,23 @@ buildGoModule rec {
     owner = "packethost";
     repo = "prometheus-packet-sd";
     rev = "v${version}";
-    sha256 = "sha256-2k8AsmyhQNNZCzpVt6JdgvI8IFb5pRi4ic6Yn2NqHMM=";
+    hash = "sha256-2k8AsmyhQNNZCzpVt6JdgvI8IFb5pRi4ic6Yn2NqHMM=";
   };
 
+  patches = [
+    (fetchpatch2 {
+      # fix racy permissions on outfile
+      # https://github.com/packethost/prometheus-packet-sd/issues/15
+      url = "https://github.com/packethost/prometheus-packet-sd/commit/bf0ed3a1da4d0f797bd29e4a1857ac65a1d04750.patch";
+      hash = "sha256-ZLV9lyqZxpIQ1Cmzy/nY/85b4QWF5Ou0XcdrZXxck2E=";
+    })
+    (fetchpatch2 {
+      # restrict outfile to not be world/group writable
+      url = "https://github.com/packethost/prometheus-packet-sd/commit/a0afc2a4c3f49dc234d0d2c4901df25b4110b3ec.patch";
+      hash = "sha256-M5133+r77z21/Ulnbz+9sGbbuY5UpU1+22iY464UVAU=";
+    })
+  ];
+
   vendorHash = null;
 
   subPackages = [ "." ];