OpenAI SDK (JS)

registrynpm

package nameopenai

maintainerOpenAI

The official OpenAI JavaScript SDK for Node.js and browser environments. It is used in Next.js applications, Vercel AI SDK integrations, and serverless API routes that proxy OpenAI model calls. The SDK reads `OPENAI_API_KEY` from environment variables and handles streaming, function calling, and batch requests.

api usage

Checking OpenAI SDK (JS)

openai 4.56.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=openai&version=4.56.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "openai",
  "version": "4.56.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

Node.js API routes that use this SDK pass the OpenAI key on every module load. A compromised version can read the API key from `process.env` during module initialization, before any application code runs.

Attestd monitors openai using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

npm_deprecation

npm package versions with deprecation messages containing targeted attack language such as malicious, backdoor, or compromised. Confidence 0.80.

Supply chain overview All npm packages LangChain (JS)Anthropic SDK (JS)Vercel AI SDK Response fields