What security issues can Chainguard Libraries prevent?
As detailed on the background and
introduction pages, Chainguard
Libraries are built directly from source in the Chainguard Factory and the
resulting binaries are directly provided to you by Chainguard. Chainguard
operates the whole supply chain for the package lifecycle as one reliable,
secure partner. You can therefore avoid issues from the following software
supply chain attack surface points:
The following examples are issues, attacks, and compromises that affect stages
of the software supply chain for libraries across different language ecosystems:
Malicious GlueStack Packages
This May 2025 attack uploaded compromised packages to PyPI and npm that enable remote shell access and uploading files to compromised machines
Chainguard Libraries would have protected against this attack. First, the packages have invalid upstream source URLs so there was no source repository. In the case of the lone exception (a package with a valid source repository link), no code was present for Chainguard to build a valid package.
Attackers compromised the GitHub Actions workflows for the Ultralytics repository, injecting malware
into PyPI package releases.
Attackers pushed out four malicious versions of the Ultralytics YOLO project over the course of a week (8.3.41, 8.3.42, 8.3.45, 8.3.46).
Ultralytics YOLO is a widely-used fast object detection neural network library downloaded about five million times per month. Users affected during this period were infected with cryptomining malware.
Chainguard Libraries would have prevented this attack by building the project from clean source. No source code was modified by attackers during this incident.
Hackers gained access to the NPM registry by compromising a developer authentication token.
Token used to upload a compromised version of Lottie Player.
The malicious package drained crypto wallet funds.
Chainguard Libraries would have prevented this attack by building the project from clean source. No source code was modified by attackers during this incident.
MavenGate is a proof of concept for exploiting abandoned Java library domains.
Vulnerabilities in Maven dependency management allow unauthorized package replacements.
All Java build tools using Maven repositories, including Maven, Gradle, and
Ant, could be affected.
MavenGate relied on the use of multiple repositories and any attack with the
proposed mechanism would not publish source code. Chainguard Libraries use
replaces other repositories and the use of Chainguard Libraries, based on
building from the original source, would have prevented an attack using this approach
Example of a supply chain attack leveraging social engineering by a patient actor
Sophisticated backdoor that had remote code execution capability and the potential to affect many systems
Vulnerability was patched within hours of disclosure by reverting to a
previous version known to be safe.
Malicious source tarball and binaries were distributed successfully, but
source code repository was not compromised.
Since no source code was compromised, a similar attack on a protected library ecosystem
would be prevented by Chainguard Libraries
XZ Utils is written in C and therefore not available as an ecosystem protected by Chainguard Libraries. However, Chainguard Containers include XZ Utils packages. These are also built
from source and are not affected.
The following links provide details for other software supply chain attacks.
Depending on the exact details some of these attacks and approaches are
prevented by use of Chainguard Libraries.
Does Chainguard Libraries for Java include CVE remediation fixes?
Short answer:
No. Libraries are built from source code in the secured and hardened Chainguard
infrastructure. This eliminates any build and distribution stage
vulnerabilities.
More details:
Chainguard cannot patch Java libraries and create binaries with the same
identifier because the complete behavior and API surface of every library
affects the use. That use however is part of the application development of each
customer. It varies widely and any change potentially creates incompatibilities,
different behavior or even new security issues.
Chainguard collaborates with many upstream projects and can collaborate with
customers to increase and accelerate the creation and adoption of fixes and the
work towards new releases.
Chibbies is the internal codename for the Chainguard Libraries. It evolved from
Chainguard Libraries being shortened to Chainguard Libbies, and then finally to
Chibbies.