LlamaIndex (JS)

registrynpm

package namellamaindex

maintainerLlamaIndex

LlamaIndex for JavaScript is the Node.js port of the LlamaIndex data framework for LLM applications, providing document ingestion, indexing, retrieval, and query pipelines. It connects LLMs to private data stored in vector databases, object stores, and document repositories. It is used in enterprise knowledge base and RAG applications.

api usage

Checking LlamaIndex (JS)

llamaindex 0.5.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=llamaindex&version=0.5.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "llamaindex",
  "version": "0.5.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

Document ingestion and indexing pipelines process proprietary data before it reaches the vector store. A backdoored version can exfiltrate document content during the embedding step, before the data is written to any monitored storage.

Attestd monitors llamaindex using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

npm_deprecation

npm package versions with deprecation messages containing targeted attack language such as malicious, backdoor, or compromised. Confidence 0.80.

Supply chain overview All npm packages LangChain (JS)OpenAI SDK (JS)Response fields