diff --git a/internal/netrc/netrc.go b/internal/netrc/netrc.go
index 6dcb419..f020a4d 100644
--- a/internal/netrc/netrc.go
+++ b/internal/netrc/netrc.go
@@ -132,5 +132,8 @@ func write(path string, entries []entry) error {
 		fmt.Fprintf(&b, "machine %s\npassword %s\n", e.machine, e.password)
 	}
 
-	return os.WriteFile(path, []byte(b.String()), 0600)
+	if err := os.WriteFile(path, []byte(b.String()), 0600); err != nil {
+		return err
+	}
+	return os.Chmod(path, 0600)
 }
diff --git a/internal/netrc/netrc_test.go b/internal/netrc/netrc_test.go
index 49694d9..611c8c4 100644
--- a/internal/netrc/netrc_test.go
+++ b/internal/netrc/netrc_test.go
@@ -173,3 +173,27 @@ func TestFilePermissions(t *testing.T) {
 		t.Errorf("file permissions = %o, want 0600", perm)
 	}
 }
+
+func TestFilePermissionsCorrected(t *testing.T) {
+	dir := t.TempDir()
+	path := filepath.Join(dir, "netrc")
+
+	// Create file with overly permissive mode
+	if err := os.WriteFile(path, []byte("machine old.host\npassword oldpass\n"), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := Upsert(path, "cache.example.com", "token"); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	info, err := os.Stat(path)
+	if err != nil {
+		t.Fatalf("stat error: %v", err)
+	}
+
+	perm := info.Mode().Perm()
+	if perm != 0600 {
+		t.Errorf("file permissions = %o, want 0600", perm)
+	}
+}