MQTT.js

registrynpm

package namemqtt

maintainerMQTT.js Contributors

MQTT.js is the standard MQTT client library for Node.js and browser environments, used in IoT device communication, telemetry pipelines, and home automation systems. It connects to MQTT brokers (Mosquitto, HiveMQ, AWS IoT) and subscribes to and publishes messages on topics.

api usage

Checking MQTT.js

mqtt 5.10.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=mqtt&version=5.10.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "mqtt",
  "version": "5.10.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

IoT messaging clients connect to brokers using credentials and client certificates. A backdoored version can exfiltrate broker credentials and subscribe to all topics the client has access to, capturing device telemetry and control messages.

Attestd monitors mqtt using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

npm_deprecation

npm package versions with deprecation messages containing targeted attack language such as malicious, backdoor, or compromised. Confidence 0.80.

Supply chain overview All npm packages Socket.IO mosquitto CVE coverage Response fields