On September 8, 2025 Anchore was made aware of an incident involving a number of popular NPM packages to insert malware. The technical details of the attack can be found in the Aikido blog post: npm debug and chalk packages compromised
After an internal audit, Anchore determined no Anchore products, projects, or development environments ever downloaded or used the malicious versions of these packages.
Anchore Enterprise and Grype both use the GitHub Advisory Database to source the vulnerability data for NPM packages. Since this database also includes malware packages such as this, both Anchore Enterprise and Grype will detect these malware packages if they are present.
The databases used by Anchore Enterprise and Grype will auto update on a regular basis. However, given the severity of this malware, users of Anchore Enterprise and Grype can update their feed database manually to ensure they are able to detect the malicious packages from this incident.
Grype users should run:
$ grype db updateWhich will download the updated vulnerability database.
Anchore Enterprise users can run:
$ anchorectl feed syncWhich will download the latest version of the vulnerability database.
Once the databases are updated, both Grype and Anchore Enterprise identify the malware in question. You can verify the vulnerability ID is found in your vulnerability dataset with the following API call:
$ curl -u ${ANCHORE_USER}:${ANCHORE_PASS} -H 'x-anchore-account: {account_context} -X 'GET' "$ANCHORE_URL/v2/query/vulnerabilities?id=GHSA-5g7q-qh7p-jjvm&page=1" -kAnd then you can locate affected artifacts by using reports:
Timeline
[1830UTC] Anchore Enterprise and Grype start rebuilding the vulnerability databases to properly detect these malicious packages
[1930UTC] Anchore Enterprise vulnerability database is published
[2015UTC] Grype vulnerability database is published
