LangChain Core (JS)
npm@langchain/coreLangChain Core for JavaScript provides the base runnables, messages, and LCEL abstractions for the LangChain JavaScript ecosystem. It is the shared dependency of all LangChain JS integration packages. Node.js AI agent backends built on LangChain depend on this package for every prompt, chain, and tool execution.
Checking LangChain Core (JS)
@langchain/core 0.3.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.
curl "https://api.attestd.io/v1/check?product=%40langchain%2Fcore&version=0.3.0" \
-H "Authorization: Bearer YOUR_API_KEY"{
"product": "@langchain/core",
"version": "0.3.0",
"supported": true,
"risk_state": "none",
"supply_chain": {
"compromised": false,
"sources": [],
"malware_type": null,
"description": null,
"advisory_url": null,
"compromised_at": null,
"removed_at": null
},
"last_updated": "2026-05-01T00:00:00Z"
}Why this package is monitored
Core abstraction packages in agent frameworks are present in every chain and tool invocation. A single compromised version propagates to all downstream LangChain JS packages and all Node.js applications using any LangChain integration.
Attestd monitors @langchain/core using the following detection sources:
registryManually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.
osvOSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.
npm_deprecationnpm package versions with deprecation messages containing targeted attack language such as malicious, backdoor, or compromised. Confidence 0.80.