supply chain / npm

npm supply chain monitoring

Attestd monitors 14,723 npm packages for malicious publishes, OSV-confirmed advisories, and npm deprecation messages with targeted attack language. Coverage spans LLM and AI SDKs, full-stack frameworks, database clients, auth libraries, cloud SDKs, developer toolchain packages, and all packages above approximately 500,000 weekly downloads.

npm is the largest package registry in the world and historically the most targeted for supply chain attacks. The npm registry has no mandatory 2FA for publishers of packages below a download threshold, and scoped packages (e.g. @scope/name) can be published under any unused scope name without identity verification. Attestd ingests OSV malicious-package advisories, npm deprecation messages containing attack language, and manually verified reports from the Attestd registry.

npm attack patterns

Maintainer account hijacking

An attacker takes control of a package maintainer's npm account through phishing, credential stuffing, or session token theft. They publish a new version with malicious code under the legitimate package name. Because the package already has millions of downloads, the malicious version installs automatically when users run npm update.

Scope squatting

npm scopes (e.g. @company/package) are not tied to verified organizations. An attacker can register a scope that looks similar to a legitimate organization (e.g. @aws-sdk vs @aws-sdk-v3) and publish packages under it. Users who mistype the scope name or are tricked by a look-alike install the malicious package.

postinstall hook abuse

npm packages can define a postinstall script in package.json that executes arbitrary shell commands during npm install. A malicious postinstall script runs immediately after install, before the package is ever imported, and has access to the CI/CD environment, cloud credentials, and SSH keys present in the shell environment.

Dependency confusion

An attacker discovers an internal package name used in a target organization (through leaked package-lock.json files, job postings, or error logs) and publishes a public npm package with the same name at a higher version. npm resolves the public registry version over a private registry if both are configured.

Protestware and backdoors in transitive dependencies

Attackers contribute to lower-visibility transitive dependencies that are installed indirectly through popular packages. Because most developers do not audit transitive dependencies, a backdoored transitive dependency can persist undetected for longer than a direct compromise.

Checking an npm package

Use the exact npm package name as the product parameter. URL-encode scoped package names: @scope/name becomes %40scope%2Fname.

# Unscoped package

$ curl "https://api.attestd.io/v1/check?product=express&version=4.21.0" \
-H "Authorization: Bearer YOUR_API_KEY"

# Scoped package (@ and / must be URL-encoded)

$ curl "https://api.attestd.io/v1/check?product=%40anthropic-ai%2Fsdk&version=0.26.0" \
-H "Authorization: Bearer YOUR_API_KEY"

A supply_chain.compromised: false response means no malicious publish was found at the last ingestion. A supply_chain: null response means the package is not in the npm watchlist.