LangChain (JS)

registrynpm

package namelangchain

maintainerLangChain AI

LangChain for JavaScript is the Node.js and browser port of the LangChain agent and chain framework, used in Next.js AI applications, serverless functions, and Node.js backends. It provides the same chain, agent, and memory abstractions as the Python version. Many Next.js AI SaaS applications use this as their primary orchestration layer.

api usage

Checking LangChain (JS)

langchain 0.3.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=langchain&version=0.3.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "langchain",
  "version": "0.3.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

JavaScript agent frameworks run in serverless functions and edge runtimes that receive user requests and call LLM APIs. A backdoored version can exfiltrate API keys from environment variables and user request bodies before any chain processing begins.

Attestd monitors langchain using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

npm_deprecation

npm package versions with deprecation messages containing targeted attack language such as malicious, backdoor, or compromised. Confidence 0.80.

Supply chain overview All npm packages LangChain Core (JS)OpenAI SDK (JS)Vercel AI SDK Response fields