Announcing Chainguard Libraries for JavaScript: Malware-Resistant Dependencies Built Securely from Source
We’re excited to announce Chainguard Libraries for JavaScript—a secure source for trusted builds of language dependencies. Chainguard Libraries for Javascript is built entirely from source on hardened SLSA L2 infrastructure, comes with full provenance, and can be consumed with no change to existing developer workflows. Our goal? Help protect developers and organizations from compromised packages, malicious updates, and registry-based attacks by vetting source packages and delivering them to customers.
The Risk: Recent npm Attacks
Over the past weeks, several high-profile npm packages have been compromised, leading to the removal of over 500 packages from the npm registry to prevent further propagation of malicious software. This was a demonstration exposing one of the ecosystem’s largest risk vectors:
Eighteen widely used packages were backdoored via malicious updates. They included
debug,chalk,ansi-styles,strip-ansi,supports-color,ansi-regex,wrap-ansi, and others — and together, they total over 2 billion weekly downloads.The Shai-Hulud Self-Replicating Worm included an aggressive attack campaign on at least 187 npm packages including
@ctrl/tinycolor. The malware includes post-install hooks that harvest credentials and cryptocurrency balances.
These incidents expose a pattern of malicious code being inserted into otherwise benign and widely trusted library versions. The insertion of malicious code across these recent npm attacks takes place during the build and distribution process of a package’s lifecycle.
Because these libraries are dependencies of dependencies, many projects pull in the backdoored versions before detection and at large scale - these libraries run in developer environments but can also be redistributed into websites where JavaScript could run on end user’s computers as well. Detection is reactive, and remediation, whether through rollback or removal of a package, happens after the damage window.
The Need for a New Approach
Injecting malware directly into packages registries is growing in both frequency and severity in the JavaScript ecosystem. We applaud the work done by the open source community to take swift action and introduce new compensating controls where possible. But there’s still more to be done.
Chainguard Libraries for JavaScript ensures compromised packages don’t even reach customers environments with:
Every package built from verified source.
Builds that take place in Chainguard’s hardened build infrastructure.
Full transparency and easy identification of packages via a complete SBOM.
Signed artifacts and source commits that are required and validated.
Seamless integration with your artifact registries and CI/CD to easily enforce packages that are allowed to build with no disruption to developer experience.
“"The recent compromises in popular npm packages highlight just how easy it still is for attackers to slip malicious code into the software supply chain. Chainguard’s approach to open source software security flips that paradigm—by rebuilding every JavaScript library from source, they will give development teams a way to eliminate common supply chain attacks and actually have a trusted source for packaged libraries. The open source community has made a herculean effort to bring software to the masses, but policing it falls to commercial entities.”
Chainguard Libraries for JavaScript aims to shift security from monitoring and reacting to building securely by default from a trusted source to significantly reduce your attack surface and eliminate supply chain attacks like the above.
Sign Me Up
Chainguard Libraries for JavaScript was built directly in response to customer feedback after evaluating and onboarding to Chainguard Libraries for Python and Java. Chainguard Libraries for JavaScript is now available in closed beta. We’re beginning with high-priority, high-impact packages—especially those that have been high-value targets recently. If you are interested in learning more about Chainguard Libraries for JavaScript, you can sign up here. Existing Chainguard customers can get started with Chainguard Libraries by reaching out to your account teams.
Share this article
Related articles
- Product
Introducing the Self-Serve Catalog Experience
Chainguard launches the Self-Serve Experience for Catalog customers: instantly add, rename, or remove container images from our catalog, no tickets required.
Tony Camp, Staff Product Manager
- Product
Custom Assembly Updates: Create Multiple, Customized Variants of a Chainguard Container
Customize Chainguard Containers with the latest Custom Assembly update. You can create, edit, and manage secure, zero-CVE image variants directly in the console.
Tony Camp, Staff Product Manager
- Product
Class in Session: Chainguard Contributes to the Higher Education Community
Catch up on what Chainguard is doing with higher education institutions to advance open source security and build the next generation of innovation.
Ewan Simpson, Higher Education Advocate, and SJ Cushing, Field Marketing Manager, Higher Education
- Product
Secure and Free MinIO Chainguard Containers
MinIO pulled its free images—but Chainguard has you covered. Get zero-CVE, continuously built MinIO and MinIO Client containers, free and secure from Chainguard.
Manfred Moser, Senior Principal Developer Relations Engineer, Dimitri John Ledkov, Senior Principal Software Engineer, Lisa Tagliaferri, Senior Director, Developer Enablement, and Aaditya Jain, Senior Product Marketing Manager
- Product
Chainguard Libraries for Python: Now Generally Available with CVE Remediation and Malware Protection
Chainguard Libraries for Python, trusted open source language libraries designed for CVE remediation and malware protection, is now generally available.
Bria Giordano, Director, Product Marketing, and Anushka Iyer, Product Marketing Manager
- Product
Shifting Left: Why I’m Building at Chainguard
Chainguard SVP of Product Patrick Donahue shares why he is excited to join Chainguard and how he plans to help build products developers love.
Patrick Donahue, SVP of Product