By Darryl K. Taft,Frederic Lardinois

Copyright thenewstack

Chainguard is expanding its supply chain security platform with the launch of Chainguard Libraries for JavaScript, a collection of thousands of JavaScript dependencies rebuilt from source to eliminate malware injection risks.

The company announced the closed beta today, accelerating its timeline in response to recent security incidents affecting the JavaScript ecosystem, Patrick Donahue, Chainguard’s SVP of Product, told The New Stack.

Multiple malware attacks hit popular npm packages in recent weeks, causing some companies to freeze development while they figure out their exposure.

“We’re essentially bypassing that whole portion where attacks typically happen,” Donahue said who joined the company three weeks ago from Cloudflare. “It’s never been done before at this scale. It’s such a big effort, but that’s why our customers are looking to us.”

Recent Attacks Highlight JavaScript Risks

The announcement comes amid heightened concern over JavaScript supply chain security. Multiple malware attacks in recent weeks compromised popular npm packages used by millions of developers, prompting some companies to halt development entirely while they assess their exposure, said Donahue.

The attacks exploited a fundamental weakness: JavaScript packages from npm often get bundled and redistributed to users’ computers, so one bad dependency can sink an entire application.

“The challenging thing about JavaScript in particular is it gets redistributed,” Donahue explained. “You might have 1,000 libraries that you’re using, but if any one of them is compromised, it can cause a problem with your entire application.”

Some of the recent attacks got creative, deploying malware that would scan infected systems for AI development tools and use them to gather secrets and spread further.

Donahue used an aviation analogy to illustrate the vulnerability.

“I’m about to fly on an Airbus A380. That plane’s got 4 million different parts, 1,500 suppliers, 30 different countries. If any one of those parts is the wrong part, or an important part goes bad, the plane’s coming down,” he said. “Software is obviously kind of very similar to that.”

Source-Built Approach

Chainguard’s approach cuts out the risky middle step. Instead of trusting pre-built packages, they grab source code directly from GitHub and rebuild everything on secure infrastructure.

“The stuff that ends up on npm are typically built by somebody and then published by a whole bunch of people,” Donahue explained. “Individual developers will download them or write them and then push them up. And that’s kind of the attack vector — it’s not the source code in the repository on GitHub that’s typically affected. It’s once it’s on their machine and pushed into npm.”

What Chainguard is providing, he said, is like having “one supplier that could guarantee the parts were authentic and tamper-resistant and delivered to them without anybody changing them on the way there.”

It’s a massive undertaking. Rather than trying to rebuild every JavaScript package immediately, Chainguard is starting with the most popular libraries and expanding based on what customers need. Donahue acknowledged the scale of the undertaking when he said a customer recently told them, “Wait, let me get this right. You’re going to build everything from source, upstream, like that’s an enormous effort. And we said, yes, it is.”

“You can go about this and kind of boil the ocean and do every last package, or you can focus on the packages used by the customers that are ready to get going with you,” Donahue said.

The company is using AI agents to speed up the rebuilding process, letting human developers manage multiple automated tasks at once, he said.

Growing Market Concern

The JavaScript problem keeps getting bigger. It’s still among the most popular programming languages — surveys show 69% of professional developers use it heavily. AI coding tools have made it even easier to spin up JavaScript applications, often by developers who don’t think much about security. Gartner predicts the cost of supply chain attacks will triple from $46 billion in 2023 to $138 billion by 2031. The firm expects 85% of large companies will deploy supply chain security tools by 2028.

Enterprise Demand

Companies are lining up for access to Chainguard’s JavaScript offering. Some have put development on hold while they wait. Some customers have reportedly suspended development work until they can implement more secure dependency management.

“We expect that list to grow quite a bit later this week, because everyone has been asking us for it,” Donahue said. Some early customers are “so worried about this, they’re saying we are pulling the plug until we can get something like this in place.”

Donahue’s move to Chainguard was motivated by what he calls “unfinished business” from his time at Cloudflare. “There’s only so much you can do at the network layer or the web request layer, because you can block an attack, but an attacker is going to find a way around it, and if you’re running a vulnerable library, it’s game over,” he said. “That’s just a race that we couldn’t win.”

At Chainguard, Donahue said he sees an opportunity to “secure companies from the inside out. I love building security products for developers. It’s kind of that intersection where I work with CTOs, I work with CSOs, and if you can essentially satisfy both of them, we’re in a really privileged position to transform the market.”

“The thing about security is, you become a trusted vendor, and people want to do more with you,” Donahue said. “We’ve established this incredible goodwill and trust with our customers.”

For developers, Chainguard positions the service as a productivity enhancement rather than a security burden. The libraries integrate with existing artifact managers and development workflows, requiring no changes to how applications are built and deployed.

“The pitch for developers is it’s a productivity game for them,” Donahue explained. “They don’t have to worry about where the libraries are coming from if they’re getting them from us. And then security teams are happy, because they know it’s a trusted source.”

The closed beta launches with an initial set of commonly used JavaScript libraries, with coverage expanding based on customer feedback and demand.