Announcing Chainguard Libraries for JavaScript: Malware-Resistant Dependencies Built Securely from Source

We’re excited to announce Chainguard Libraries for JavaScript—a secure source for trusted builds of language dependencies. Chainguard Libraries for Javascript is built entirely from source on hardened SLSA L2 infrastructure, comes with full provenance, and can be consumed with no change to existing developer workflows. Our goal? Help protect developers and organizations from compromised packages, malicious updates, and registry-based attacks by vetting source packages and delivering them to customers.

The Risk: Recent npm Attacks 

Over the past weeks, several high-profile npm packages have been compromised, leading to the removal of over 500 packages from the npm registry to prevent further propagation of malicious software. This was a demonstration exposing one of the ecosystem’s largest risk vectors:

• Eighteen widely used packages were backdoored via malicious updates. They included debug, chalk, ansi-styles, strip-ansi, supports-color, ansi-regex, wrap-ansi, and others — and together, they total over 2 billion weekly downloads.

• The Shai-Hulud Self-Replicating Worm included an aggressive attack campaign on at least 187 npm packages including @ctrl/tinycolor. The malware includes post-install hooks that harvest credentials and cryptocurrency balances. 

These incidents expose a pattern of malicious code being inserted into otherwise benign and widely trusted library versions. The insertion of malicious code across these recent npm attacks takes place during the build and distribution process of a package’s lifecycle.

Because these libraries are dependencies of dependencies, many projects pull in the backdoored versions before detection and at large scale - these libraries run in developer environments but can also be redistributed into websites where JavaScript could run on end user’s computers as well. Detection is reactive, and remediation, whether through rollback or removal of a package, happens after the damage window.

The Need for a New Approach 

Injecting malware directly into packages registries is growing in both frequency and severity in the JavaScript ecosystem. We applaud the work done by the open source community to take swift action and introduce new compensating controls where possible. But there’s still more to be done. 

Chainguard Libraries for JavaScript ensures compromised packages don’t even reach customers environments with:

• Every package built from verified source.

• Builds that take place in Chainguard’s hardened build infrastructure.

• Full transparency and easy identification of packages via a complete SBOM.

• Signed artifacts and source commits that are required and validated.

• Seamless integration with your artifact registries and CI/CD to easily enforce packages that are allowed to build with no disruption to developer experience.

"The recent compromises in popular npm packages highlight just how easy it still is for attackers to slip malicious code into the software supply chain. Chainguard’s approach to open source software security flips that paradigm—by rebuilding every JavaScript library from source, they will give development teams a way to eliminate common supply chain attacks and actually have a trusted source for packaged libraries. The open source community has made a herculean effort to bring software to the masses, but policing it falls to commercial entities.”

Chainguard Libraries for JavaScript aims to shift security from monitoring and reacting to building securely by default from a trusted source to significantly reduce your attack surface and eliminate supply chain attacks like the above.

Sign Me Up

Chainguard Libraries for JavaScript was built directly in response to customer feedback after evaluating and onboarding to Chainguard Libraries for Python and Java. Chainguard Libraries for JavaScript is now available in closed beta. We’re beginning with high-priority, high-impact packages—especially those that have been high-value targets recently. If you are interested in learning more about Chainguard Libraries for JavaScript, you can sign up here. Existing Chainguard customers can get started with Chainguard Libraries by reaching out to your account teams.