Chainguard Libraries FAQ

Frequently asked questions and answers for Chainguard Libraries users

What security issues can Chainguard Libraries prevent?

As detailed on the background and introduction pages, Chainguard Libraries are built directly from source in the Chainguard Factory and the resulting binaries are directly provided to you by Chainguard. Chainguard operates the whole supply chain for the package lifecycle as one reliable, secure partner. You can therefore avoid issues from the following software supply chain attack surface points:

Build pipeline
Build system
Dependency injection
Bypass of CI/CD systems
Library distribution
Library consumption

More information about these stages in the software supply chain is available on the Supply chain Levels for Software Artifacts (SLSA) website.

The following examples are issues, attacks, and compromises that affect stages of the software supply chain for libraries across different language ecosystems:

Malicious GlueStack Packages

This May 2025 attack uploaded compromised packages to PyPI and npm that enable remote shell access and uploading files to compromised machines
Chainguard Libraries would have protected against this attack. First, the packages have invalid upstream source URLs so there was no source repository. In the case of the lone exception (a package with a valid source repository link), no code was present for Chainguard to build a valid package.

The Hacker News blog post on the attack

Ultralytics Python project

Attackers compromised the GitHub Actions workflows for the Ultralytics repository, injecting malware into PyPI package releases.
Attackers pushed out four malicious versions of the Ultralytics YOLO project over the course of a week (8.3.41, 8.3.42, 8.3.45, 8.3.46).
Ultralytics YOLO is a widely-used fast object detection neural network library downloaded about five million times per month. Users affected during this period were infected with cryptomining malware.
Chainguard Libraries would have prevented this attack by building the project from clean source. No source code was modified by attackers during this incident.
See also PyPI attack analysis and bleepingcomputer blog post.

Lottie Player

Hackers gained access to the NPM registry by compromising a developer authentication token.
Token used to upload a compromised version of Lottie Player.
The malicious package drained crypto wallet funds.
Chainguard Libraries would have prevented this attack by building the project from clean source. No source code was modified by attackers during this incident.
See also npm package Lottie-Player compromised in supply chain attack, Nov 2024.

MavenGate

MavenGate is a proof of concept for exploiting abandoned Java library domains.
Vulnerabilities in Maven dependency management allow unauthorized package replacements.
All Java build tools using Maven repositories, including Maven, Gradle, and Ant, could be affected.
MavenGate relied on the use of multiple repositories and any attack with the proposed mechanism would not publish source code. Chainguard Libraries use replaces other repositories and the use of Chainguard Libraries, based on building from the original source, would have prevented an attack using this approach
See also The Hacker News article, Oversecured blog post, and Sonatype’s take as Maven Central operator.

XZ Utils backdoor

Example of a supply chain attack leveraging social engineering by a patient actor
Sophisticated backdoor that had remote code execution capability and the potential to affect many systems
Vulnerability was patched within hours of disclosure by reverting to a previous version known to be safe.
Malicious source tarball and binaries were distributed successfully, but source code repository was not compromised.
Since no source code was compromised, a similar attack on a protected library ecosystem would be prevented by Chainguard Libraries
XZ Utils is written in C and therefore not available as an ecosystem protected by Chainguard Libraries. However, Chainguard Containers include XZ Utils packages. These are also built from source and are not affected.
See also Wikipedia article and official page from the XZ data compression.

Other examples and resources

The following links provide details for other software supply chain attacks. Depending on the exact details some of these attacks and approaches are prevented by use of Chainguard Libraries.

Find pointers to further resources in the Software supply chain reading list.

Does Chainguard Libraries for Java include CVE remediation fixes?

Short answer:

No. Libraries are built from source code in the secured and hardened Chainguard infrastructure. This eliminates any build and distribution stage vulnerabilities.

More details:

Chainguard cannot patch Java libraries and create binaries with the same identifier because the complete behavior and API surface of every library affects the use. That use however is part of the application development of each customer. It varies widely and any change potentially creates incompatibilities, different behavior or even new security issues.

Chainguard collaborates with many upstream projects and can collaborate with customers to increase and accelerate the creation and adoption of fixes and the work towards new releases.

Importantly, over 95% of all known vulnerable components have a fixed version available and, by adopting those newer versions in your application, you can remediate most CVEs. Chainguard Libraries for Java includes those newest versions and adds the build and distribution channel security.

What are Chibbies?

Chibbies is the internal codename for the Chainguard Libraries. It evolved from Chainguard Libraries being shortened to Chainguard Libbies, and then finally to Chibbies.

Last updated: 2025-03-25 08:04