Chainguard has launched a source code scanner that blocks open source packages it classifies as malware and “greyware”. It says the tool is already screening more than 100,000 packages a day.

The scanner is available for npm packages requested through Chainguard Libraries for JavaScript and has already blocked more than 52,000 packages identified as malware or greyware.

Chainguard uses the term greyware for open source packages that disclose their intended behaviour but still pose security risks many organisations would reject in a formal review. These can include tools for credential harvesting, command interception, persistent remote access and account fraud automation.

The launch reflects broader concern in software security over the growth of risky dependencies in public registries. Security teams have long focused on malware hidden inside code packages, but Chainguard argues that another category is slipping through because the software openly states what it does and can avoid conventional malware detection.

In its current setup, the scanner reviews packages before they are added to the Chainguard Libraries catalogue rather than waiting until a customer requests them. It examines maintainer behaviour, package contents, publishing signals and the behaviour of installation scripts in a sandboxed environment.

That includes unusual account activity, changes in release history, obfuscated code, suspicious domains, differences between source code and published packages, and scripts that try to contact external servers or access local files. Packages are then marked as malicious, escalated for review by a security engineer, or cleared for use.

Chainguard says the volume of software being generated and adopted through AI-assisted development is making manual dependency checks less realistic. It argues that developers often rely on indicators such as download numbers, repository activity or autocomplete suggestions rather than reading package documentation or reviewing source code in detail.

The company also pointed to a wider industry backdrop in which supply chain attacks remain a significant issue, citing figures showing that 65% of organisations said they experienced a supply chain attack in the past year.

Examples found

Among the examples identified on npm was leobot-cli, which Chainguard described as an account fraud automation tool. The package advertises itself as a command-line bot for registering Canva and Leonardo accounts and includes a command to generate fake accounts and inject a Chrome extension for session injection and token monitoring.

Another package, @robinpath/cloud-cli, was described as software that creates a permanent backdoor from a machine to a third-party server and waits for commands to run. It is presented as a command-line tool for an AI assistant that reads code, creates files, executes commands and builds scripts.

Chainguard also highlighted noesis-miner, which it said reads Solana keypairs from disk and runs persistent mining loops. The package is presented as an AI-agent-mined token protocol for Solana.

It identified drogonclaw as a hacking toolkit that includes open source intelligence functions, network scanning, exploit execution and remote mobile control. The package advertises itself as an autonomous AI pentest framework.

A fifth example, chrome-tool, was described as a Chrome credential-harvesting extension. According to Chainguard, the package exports modules designed to extract passwords, cookies, credit card information and autofill data.

Several of these packages remain available for download on npm and have each recorded thousands of downloads, Chainguard said. Some had also passed what it described as a typical seven-day cooldown period, a delay often used by software security products before treating a package as established.

Scanner design

The scanner sits inside Chainguard Repository and is intended to add another layer of review on top of existing checks such as building from source and cooldown periods. The aim is to reduce the risk of malicious or risky software being cached inside internal systems before it is flagged.

Ross Gordon, Staff Product Marketing Manager, and Evan Gibler, Staff Security Engineer at Chainguard, described the rationale for the product in a joint comment: “Malware has become a serious industry problem: 65% of organizations said they experienced a supply chain attack last year, let alone in 2026. However, there hasn’t been much emphasis on packages that do exactly what their README says, pass malware scans, but act in ways no CISO would ever approve. We call those packages greyware.”

Protection is currently in place for npm packages requested through Chainguard’s JavaScript library service, with additional language ecosystems due to be added later. Chainguard says the scanner is already protecting all packages served through its upstream fallback to npm and has blocked more than 52,000 malware and greyware packages.

KPMG has published a global study linking stronger AI transformation results to trust and governance. The survey covered more than 1,750 senior leaders across 20 countries.

The findings highlight a gap between rising AI adoption and broader business results. Many organisations are expanding AI use in specific functions without changing the wider operating model needed to turn those efforts into enterprise-level gains.

While 58 per cent of leaders consider enterprise-wide systems, processes, people and technology critical to transformation, only 12 per cent said their organisations deliver them effectively. The study also found that risk-led transformation produced the strongest performance improvement, at 14 per cent.

Workforce readiness emerged as another weak point. While 75 per cent of respondents expect benefits from humans and AI working together, only 19 per cent reported having a workforce ready for that shift.

Risk concerns were widespread, but integration remained limited. Nearly three in four respondents cited risk, security and privacy as major concerns, yet only 24 per cent said those issues are embedded in strategy and technology.

Measurement was also patchy. Just 28 per cent of organisations track operational or revenue outcomes linked to trusted AI, suggesting many still rely on adoption rates, qualitative signals or no formal measurement at all.

Operating model gap

The research argues that AI deployments often remain confined to individual use cases and are not fully tied to decision-making or end-to-end workflows. In that environment, productivity gains may appear in isolated parts of a business without translating into sustained organisation-wide improvements.

Legacy structures are part of the problem. Many businesses still operate with models built for stability rather than constant adaptation, making it harder to coordinate change across multiple teams and systems.

Adrian Clamp made that point in comments accompanying the research.

“Real value from AI requires operating as an intelligent enterprise – aligning strategy, decisions, and execution. Yet, most organizations have not redesigned themselves to do so, with complexity rising faster than performance. As a result, many risk scaling AI without delivering sustained enterprise impact or meaningful returns,” said Adrian Clamp, Global Head of Consulting Strategy & Investment, KPMG International.

Governance divide

The strongest performers were more likely to treat trust and AI governance as part of day-to-day operations rather than as a separate compliance exercise. The study linked that approach to better outcomes in areas including innovation, investment capacity and stakeholder trust.

Only a minority have taken that route. Most organisations still rely on reactive, siloed or partly integrated approaches to AI risk management.

Samantha Gloede said the issue goes beyond technical oversight.

“Trust is no longer a safeguard; it is a prerequisite for performance. As transformation scales across interconnected systems, organizations must be able to rely on decisions, not just data. That confidence is built through how risk is governed, managed, and embedded into execution. When it is, transformation can be directed, aligned, and scaled. When it is not, it fragments under its own complexity,” said Samantha Gloede, Global Head of Risk Services and Trusted AI Leader, KPMG International.

Broader shift

The study frames the findings as part of a wider change in how businesses compete. Rather than judging success by the number of transformation projects, it suggests organisations are increasingly being tested on whether they can coordinate change across the whole business.

KPMG described this as enterprise orchestration: the ability to align priorities, connect execution and manage trade-offs continuously across different parts of the organisation. The data suggests that without that coordination, AI investment may increase activity without producing equivalent returns.

The survey spanned sectors including technology, financial services, healthcare and manufacturing, indicating that the issues identified are not limited to a single industry. Across responses, a common theme emerged: AI adoption is moving faster than organisational redesign, leaving many companies with more complexity but not necessarily stronger performance.

One of the starkest findings was the contrast between ambition and readiness: 75 per cent of leaders expect gains from human and AI collaboration, but only 19 per cent say their workforce is ready.

Diamond Logistics said its eCommerce volumes grew faster than internal forecasts in the first five months of the year, running 15% above expectations.

The UK fulfilment and same-day delivery group had expected monthly growth of about 10%, but results from January to May exceeded that level despite pressure across the wider retail sector. Diamond Logistics operates more than 35 fulfilment sites across the UK.

The figures come as retailers and logistics groups assess the impact of weaker consumer confidence, higher household costs and geopolitical instability on spending. Warehouse utilisation remained strong going into the third quarter, with goods continuing to move steadily through the network and no noticeable drop in demand for either essential or non-essential categories.

Industry data has been mixed. The British Retail Consortium reported that retail sales rose 3.7% year on year in May, the strongest increase since April 2025.

At the same time, the International Monetary Fund upgraded its UK growth forecast to 1% for 2026 while warning that geopolitical instability and domestic uncertainty could still weigh on activity through higher energy and food prices. The GfK Consumer Confidence Barometer also fell by four points in April to its lowest level since autumn 2023 before recovering by two points.

Consumer demand

Kate Lester, Chief Executive Officer and Founder of Diamond Logistics, said the company was seeing firmer demand than some economic indicators suggest.

“There’s no question the UK economy is under pressure right now, particularly with ongoing instability in the Middle East feeding through into energy markets, which could lead to a temporary spike in inflation and a rise in interest rates.

“We’re already seeing the impact of rising fuel costs, and that always has a knock-on effect across the supply chain and consumer spending. Fears that prices will rise can hit household finances, leaving retailers to operate in a far more cautious and price-sensitive environment that naturally translates into a dip in sales over time.

“But what we’re seeing on the ground is that consumer behaviour is holding up much better than some of the headlines would suggest. That’s reflected not only in the growth we’re achieving but also in fulfilment volumes, which remain strong across our nationwide network. Goods are still moving, and demand hasn’t fallen away in the way people might expect in this kind of climate,” said Kate Lester, Chief Executive Officer and Founder of Diamond Logistics.

Her comments suggest a more mixed picture for consumer demand than broad confidence measures alone indicate. For logistics operators, order flow and warehouse occupancy can offer an early read on actual spending patterns.

Diamond’s business spans fulfilment, inventory management and last-mile delivery, placing it close to the day-to-day movement of online retail orders. That makes its trading performance a useful indicator of whether consumers are still buying routine and discretionary items even as budgets remain under strain.

Spending shifts

Lester said the business had repeatedly seen shoppers change what they buy rather than stop spending altogether during more difficult periods.

“In the last six years we’ve faced Covid, a succession of wars, persistent inflationary pressure and ongoing uncertainty around interest rates. As a result, people have become much more accustomed to an environment where things don’t necessarily feel stable.

“We’ve also been around for much longer than six years, and the pattern we’ve seen over time, especially during periods of economic uncertainty, is that although consumers might pull back on bigger-ticket purchases, they still allow themselves smaller, more affordable treats that feel manageable.

“While that shift could be one reason our volumes remain strong, I think consumers are generally becoming more resilient. Rather than stopping spending altogether when times are tougher and budgets are squeezed by rising essential costs such as bills, their spending habits often just adapt slightly,” said Lester.

That view aligns with a pattern seen across parts of retail in recent years, where consumers have traded down on some purchases while maintaining spending on lower-cost items and convenience-led buying. For fulfilment groups, that can still translate into steady parcel volumes even when demand for larger discretionary purchases softens.

Diamond’s update also points to the continued importance of operational efficiency in logistics as retailers look to manage costs in a more price-sensitive market. Rising fuel prices and broader supply chain pressures can squeeze margins even when volumes remain stable.

The company was founded in 1992 and has built a national fulfilment network serving eCommerce merchants across the UK. Its latest figures indicate that, for now, online order volumes have remained steady even as the broader economic backdrop remains uncertain.