 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
As AI coding assistants and autonomous agents dramatically accelerate software development, they’re introducing a security problem that most organizations aren’t prepared for: dependency sprawl at machine speed.
Chainguard CEO Dan Lorenc tells The New Stack that coding agents have a blind spot. Their training data is typically a year or more out of date, which means when they reach for a library, they default to older, often insecure versions — not because they’re careless, but because that’s what they know. And as more and more production code gets written by agents, that pattern compounds fast.
“When you ask an agent to generate code, its training window is usually a year old,” says Lorenc. “So, it defaults to older versions of all these libraries, because that’s what it’s trained on. You can have agents update code, but it takes a lot more time and care than people trying to go faster.”
Meanwhile, Lorenc says attackers are increasingly using AI themselves — not to accidentally write vulnerable packages, but to find and exploit misconfigurations at a scale and speed that would take a human researcher days.
A recent breach of the Trivy project, a vulnerability scanner from Aqua, illustrated the threat, he said. Attackers deployed agents to systematically identify known misconfigurations across dozens of GitHub organizations, automating what would otherwise have been hours of manual digging.
“There was a big breach of the Trivy project a few weeks ago,” Lorenc says. “Attackers compromised dozens of other GitHub organizations just by having agents go and find these known misconfigurations. It takes a human maybe seven hours of working and digging. We’re seeing a lot more AI-enabled attacks.”
Nearly 455,000 malicious packages flooded npm, PyPI, and Maven Central in 2025 alone, according to Sonatype’s annual software supply chain report. The average container carries more than 600 known CVEs, and 89% of container images in production contain known vulnerabilities, Chainguard says.
To address the problem, Chainguard on Tuesday announced Chainguard Repository, a unified, secure-by-default repository for open source artifacts. The product gives developers — and the AI agents writing code alongside them — a single, governed endpoint for pulling open-source libraries, containers, OS packages, and virtual machines, with configurable security policies enforced at the point of consumption. Lorenc said.
Starting today, Chainguard Repository is available in production for JavaScript, giving customers access to more than 70,000 Chainguard-built npm packages. Those libraries are built in an SLSA Level 3-compliant environment and eliminate 99.7% of malware by design. For packages served from the upstream npm registry as a fallback, a seven-day cooldown policy filters out malware that the broader research community identifies during that window.
However, the cooldown policy has its limits, Lorenc says. The approach, which originally surfaced in Snyk research showing that waiting a week sidesteps most malware, faces a structural problem. That is, if everybody adopts it, attackers simply adjust their timelines.
“If everyone does that, then it becomes less effective, and you have to wait even longer,” Lorenc tells The New Stack. “And sometimes you need software before that. If there’s a critical CVE in something, you can’t be waiting seven days for a new version. You’re being chased by one bear while trying to catch another one.”
Organizations dealing with a critical CVE in a production dependency can’t always wait a week for a patched version. Chainguard’s answer is configurable exceptions that let security teams bypass the cooldown for critical fixes while maintaining the default posture everywhere else.
The governance use case extends beyond security. Lorenc notes that as Chainguard’s library coverage has grown, some customers are now using policy controls simply to manage the sheer volume of available packages — not for security reasons, but for engineering discipline.
“We have a lot of customers where we now have so many libraries that it’s actually too many, and they want to be able to control which ones developers are getting,” Lorenc says. “Maybe you don’t need 17 different database clients or 32 different date-time parsers.”
Chainguard is looking ahead to an era when neither developers nor their AI tools can be expected to make safe dependency choices on their own. Chainguard Repository can replace or integrate with existing artifact managers like Artifactory, Cloudsmith, and Nexus, and complement SCA scanning tools like Snyk and Sonatype that identify vulnerabilities but don’t provide clean versions.
“This is a single point where you can point all of your clients directly, and we’ll control what’s going in there,” Lorenc says. “You can set whatever policies you need.”
As Chainguard’s AI-powered Factory rebuilds more packages from source, the security posture of organizations using the repository improves automatically with no configuration changes or code updates required. Lorenc says he sees this as the key architectural shift: rather than scanning for problems after the fact, security is enforced at the point of consumption.
Lorenc also called out AI skill hijacking as an emerging threat vector that the industry is only beginning to see. While MCP hijacking remains early-stage, attacks on AI skill ecosystems — platforms like skills.sh where agents pull tools dynamically at runtime — are already happening at scale.
“We see a lot of skill hijacking with AI skills now,” Lorenc says. “These tools pull down whatever tools they feel like at runtime if you’re deploying them insecurely. There was a big attack on the skills ecosystem a few weeks ago for OpenClaw. That’s how people share OpenClaw workflows.”
Later this year, Chainguard Repository will expand to Python and Java libraries, container images, OS packages, and virtual machines. Additional policy controls planned for release include CVE blocking to prevent artifacts with known critical vulnerabilities from being pulled, license enforcement to restrict artifacts to approved licenses, and end-of-life prevention to reject unmaintained dependencies before they enter production. Chainguard Repository is available now.
