Chainguard offers malware-resistant JavaScript libraries

Software supply chain security provider Chainguard has unveiled Chainguard Libraries for JavaScript, described as a collection of trusted builds of thousands of common malware-resistant JavaScript dependencies.

The libraries, which are built from source on SLSA L2  (Supply-chain Levels for Software Artifacts) infrastructure, were introduced on September 25. By securely building each library and its dependencies from source, Chainguard Libraries for JavaScript offers security and engineering teams confidence that malware has not been inserted during the build or distribution of libraries in the JavaScript ecosystem, according to Chainguard. This eliminates a significant gap in the threat landscape, Chainguard added.

The company said it was offering protection for one of the most critical and vulnerable parts of the software supply chain: the language dependencies developers rely on to build and deploy applications. Chainguard said the risk in the JavaScript ecosystem is not theoretical; in September, packages used by millions of developers were compromised by malicious code. These malware attacks against JavaScript registries like NPM, which developers download billions of times per week, demonstrate the risk of relying on traditional mechanisms for language library consumption, the company said. The company states the AI-fueled surge in JavaScript development presents more opportunities for attackers.

Chainguard Libraries for JavaScript integrates with artifact managers such as JFrog Artifactory and Sonatype Nexus to empower application security teams to close the security hole in the JavaScript ecosystem, said Chainguard. As part of its ongoing effort to combat malware injection at the build and distribution links of the open source supply chain, Chainguard said it is working to build every dependency for every JavaScript library from source. The company also has developed Chainguard Libraries for Java and Chainguard Libraries for Python.