52,000 packages passed every security check. Chainguard blocked them anyway. (opens in new tab)

Open-source packages are supposed to fail security scans if they're dangerous. Chainguard has found 52,000 that don't — and says that's the whole problem. The company launched a new source code scanner this week that catches what it's calling "greyware": packages that pass every existing scan on the market, do exactly what they advertise, and still export your credentials, harvest your API keys, or establish a permanent backdoor to a third-party server. "Frank in finance is not a coder. He's ...