Software supply chain security provider Chainguard has unveiled Chainguard Libraries for JavaScript, described as a collection of trusted builds of thousands of common malware-resistant JavaScript dependencies.
The libraries, which are built from source on SLSA L2 (Supply-chain Levels for Software Artifacts) infrastructure, were introduced on September 25. By securely building each library and its dependencies from source, Chainguard Libraries for JavaScript offers security and engineering teams confidence that malware has not been inserted during the build or distribution of libraries in the JavaScript ecosystem, according to Chainguard. This eliminates a significant gap in the threat landscape, Chainguard added.
The company said it was offering protection for one of the most critical and vulnerable parts of the software supply chain: the language dependencies developers rely on to build and deploy applications. Chainguard said the risk in the JavaScript ecosystem is not theoretical; in September, packages used by millions of developers were compromised by malicious code. These malware attacks against JavaScript registries like NPM, which developers download billions of times per week, demonstrate the risk of relying on traditional mechanisms for language library consumption, the company said. The company states the AI-fueled surge in JavaScript development presents more opportunities for attackers.
