Articles in this section

September 2025 NPM Malware incident

We are aware of the ongoing NPM malware attacks. Anchore Enterprise will flag any known malicious packages as vulnerable

 

On September 8, 2025 Anchore was made aware of an incident involving a number of popular NPM packages to insert malware. The technical details of the attack can be found in the Aikido blog post: npm debug and chalk packages compromised

After an internal audit, Anchore determined no Anchore products, projects, or development environments ever downloaded or used the malicious versions of these packages.

Anchore Enterprise and Grype both use the GitHub Advisory Database to source the vulnerability data for NPM packages. Since this database also includes malware packages such as this, both Anchore Enterprise and Grype will detect these malware packages if they are present. The databases used by Anchore Enterprise and Grype will auto update on a regular basis.

For Anchore Enterprise users, you can verify the vulnerability ID is found in your vulnerability dataset with the following API call:

curl -u ${ANCHORE_USER}:${ANCHORE_PASS} -H 'x-anchore-account: {account_context} -X 'GET' "$ANCHORE_URL/v2/query/vulnerabilities?id=GHSA-5g7q-qh7p-jjvm&page=1" -k

and then you can locate affected artifacts by using the reports feature of Anchore Enterprise:

Users can also use the by-package API endpoint to query images for a certain package and version:

curl -u admin:foobar -X 'GET' "$ANCHORECTL_URL/v2/query/images/by-package?name=error-ex&version=1.3.3" -k
Was this article helpful?
0 out of 0 found this helpful