Security Bloggers Network 
SBN

NPM Supply Chain Breach Response for Anchore Enterprise and Grype Users

Avatar photo by Josh Bressers on September 10, 2025

On September 8, 2025 Anchore was made aware of an incident involving a number of popular NPM packages to insert malware. The technical details of the attack can be found in the Aikido blog post: npm debug and chalk packages compromised

After an internal audit, Anchore determined no Anchore products, projects, or development environments ever downloaded or used the malicious versions of these packages.

Anchore Enterprise and Grype both use the GitHub Advisory Database to source the vulnerability data for NPM packages. Since this database also includes malware packages such as this, both Anchore Enterprise and Grype will detect these malware packages if they are present.

The databases used by Anchore Enterprise and Grype will auto update on a regular basis. However, given the severity of this malware, users of Anchore Enterprise and Grype can update their feed database manually to ensure they are able to detect the malicious packages from this incident.

Grype users should run:

Which will download the updated vulnerability database.

Anchore Enterprise users can run:

Which will download the latest version of the vulnerability database.

Once the databases are updated, both Grype and Anchore Enterprise identify the malware in question. You can verify the vulnerability ID is found in your vulnerability dataset with the following API call:

And then you can locate affected artifacts by using reports:

Timeline

[1830UTC] Anchore Enterprise and Grype start rebuilding the vulnerability databases to properly detect these malicious packages

[1930UTC] Anchore Enterprise vulnerability database is published

[2015UTC] Grype vulnerability database is published

The post NPM Supply Chain Breach Response for Anchore Enterprise and Grype Users appeared first on Anchore.

*** This is a Security Bloggers Network syndicated blog from Anchore authored by Josh Bressers. Read the original post at: https://anchore.com/blog/npm-supply-chain-breach-response-for-anchore-enterprise-and-grype-users/

Josh Bressers
Avatar photo

Josh Bressers

Josh Bressers is the Vice President of Security at Anchore, where he guides security features and serves as a public evangelist on topics like compliance, open source, and software supply chain security. With a career spanning over 20 years, Josh has a deep-rooted history in the open-source security community. Prior to Anchore, he built the product security team at Elastic and was an early member of the Red Hat Security Response Team, where he later founded the Product Security Team. Josh is a passionate contributor to the security community, he hosts both the "Open Source Security Podcast" and the "Hacker History Podcast." Josh is an active member of the OpenSSF where he also co-leads the SBOM Everywhere project.

josh-bressers has 16 posts and counting.See all posts by josh-bressers