Securing the software supply chain: How distroless containers defend against npm malware attacks

The wake-up call: npm ‘is’ package compromise Why traditional containers failed Distroless: Security through minimalism Taking distroless further: Secure, minimal containers for cloud native workloads Measurable impact Why it matters Bottom line Posted on October 30, 2025 by Dhanush VM, CleanStart In July 2025, the npm package “is” —downloaded millions of times each week—was quietly hijacked. A simple phishing email to its maintainer opened the door for attackers to inject malicious code into the software supply chain, embedding backdoors into thousands of downstream applications. This incident is more than a one-off breach; it’s a warning shot for the entire open source ecosystem. Even trusted dependencies can become vectors for sophisticated supply-chain attacks. As development pipelines grow increasingly automated, traditional defenses are no longer enough. To stay secure, organizations must rethink the foundation of their containers themselves. That’s where distroless containers come in—stripping away unnecessary components to eliminate entire classes of vulnerabilities before they can be exploited. Traditional containers are built like miniature operating systems. They include shells, package managers, network tools, and other system utilities — many of which are unnecessary for the application but are ideal targets for attackers. When the malicious ‘is’ package was executed in these environments, it had access to tools to download more payloads, connect to remote servers, and persist in the system. In essence, developers unintentionally shipped a hacker’s toolkit into production. Distroless containers flip this paradigm by including only the essentials required to run an application — nothing more.