bcryptjs

registrynpm

package namebcryptjs

maintainerdcodeIO

bcryptjs is a pure JavaScript implementation of the bcrypt password hashing algorithm, used in Node.js applications to hash and verify user passwords. It is present in virtually every Node.js application with user authentication. The `compare` function receives plaintext passwords submitted during login.

api usage

Checking bcryptjs

bcryptjs 2.4.3 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=bcryptjs&version=2.4.3" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "bcryptjs",
  "version": "2.4.3",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

Password hashing library functions receive plaintext passwords from user login requests before hashing occurs. A backdoored version calling `compare(password, hash)` has access to the plaintext password before any cryptographic operation runs.

Attestd monitors bcryptjs using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

npm_deprecation

npm package versions with deprecation messages containing targeted attack language such as malicious, backdoor, or compromised. Confidence 0.80.

Supply chain overview All npm packages jsonwebtoken Passport.js Express Response fields