Hono

registrynpm

package namehono

maintainerHono Contributors

Hono is a lightweight, ultra-fast web framework for edge runtimes (Cloudflare Workers, Deno Deploy, Bun) as well as Node.js. It is used in serverless API handlers, reverse proxies, and edge middleware. Its small footprint and multi-runtime support have made it popular for AI API proxying.

api usage

Checking Hono

hono 4.6.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=hono&version=4.6.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "hono",
  "version": "4.6.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

Edge runtime frameworks process HTTP requests in environments with limited logging and observability. A backdoored version running on an edge worker can intercept all traffic routed through the worker without generating server-side logs.

Attestd monitors hono using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

npm_deprecation

npm package versions with deprecation messages containing targeted attack language such as malicious, backdoor, or compromised. Confidence 0.80.

Supply chain overview All npm packages Express Fastify Response fields