Announcement

Attestd Now Monitors 29,723+ npm and PyPI Packages for Supply Chain Compromise

RobertUpdated Jun 5, 20264 min read
Dark terminal-style feature image. White text reads: 143 packages. Now 29,723. Below it in teal monospace: supply_chain.compromised: false. Attestd branding bottom left.

Attestd Now Monitors 29,723 npm and PyPI Packages for Supply Chain Compromise#

Attestd's supply chain monitoring has expanded from 143 hand-curated packages to 29,723 across npm and PyPI. Every package with at least 10,000 weekly downloads on either registry is now automatically monitored for malicious publishes.

The change is in production as of June 2026.

What changed#

Until now, supply chain coverage was built from a hand-curated seed list of high-risk packages: LLM SDKs, popular frameworks, auth libraries, and similar targets. That approach covered the packages most likely to be attacked. It did not cover the packages you were actually using unless they happened to be on the list.

A package with 29,000 weekly downloads that had never been targeted before was outside coverage. If an attacker compromised it, the API returned supported: false.

The new system works differently. The pipeline sweeps the full npm and PyPI registry, checks weekly download counts, and automatically adds every package above the threshold to the watchlist. No manual curation required. If the package is widely used, it is watched.

Before: ~143 packages (76 PyPI, 67 npm), hand-curated

After: 29,723 packages (15,000 PyPI, 14,723 npm), threshold-based

What the threshold means in practice#

The threshold is 10,000 weekly downloads on either registry. Packages at or above that number are added automatically. Packages below it return supported: false.

This covers the vast majority of packages developers depend on in production. react, lodash, tensorflow were all outside the curated list before. They are covered now.

bash
# react was not on the curated list. Now covered.
curl "https://api.attestd.io/v1/check?product=react&version=18.3.0" \
  -H "Authorization: Bearer YOUR_API_KEY"
json
{
  "product": "react",
  "version": "18.3.0",
  "supported": true,
  "risk_state": "none",
  "confidence": 0.9,
  "cve_ids": [],
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  }
}
bash
# lodash — same result
curl "https://api.attestd.io/v1/check?product=lodash&version=4.17.21" \
  -H "Authorization: Bearer YOUR_API_KEY"
 
# tensorflow (PyPI) — same result
curl "https://api.attestd.io/v1/check?product=tensorflow&version=2.18.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

Both return supported: true, supply_chain.compromised: false. Before this change, all three returned {"supported": false}.

What a monitored response means#

For supply-chain-only packages, supply_chain.compromised: false is not the same as "unknown." It means the pipeline checked OSV advisories, registry state, and related sources for this package and version and found no malicious publish signal. The confidence: 0.9 field reflects that.

The contrast with a compromised version makes this clear. litellm 1.82.7 is the March 2026 TeamPCP backdoor:

bash
curl "https://api.attestd.io/v1/check?product=litellm&version=1.82.7" \
  -H "Authorization: Bearer YOUR_API_KEY"
json
{
  "product": "litellm",
  "version": "1.82.7",
  "supported": true,
  "risk_state": "none",
  "confidence": 1.0,
  "cve_ids": [],
  "supply_chain": {
    "compromised": true,
    "sources": ["osv", "registry"],
    "malware_type": "backdoor",
    "description": "TeamPCP supply chain attack: credential stealer in proxy_server.py",
    "advisory_url": "https://docs.litellm.ai/blog/security-update-march-2026",
    "compromised_at": "2026-03-24T10:39:00Z",
    "removed_at": "2026-03-24T16:00:00Z"
  }
}

risk_state: "none" on both. No CVE exists for the litellm attack. npm audit and pip audit return clean. The supply chain signal is the only detector.

FieldClean (react 18.3.0)Compromised (litellm 1.82.7)
supportedtruetrue
supply_chain.compromisedfalsetrue
supply_chain.malware_typenull"backdoor"
supply_chain.sources[]["osv", "registry"]
supply_chain.compromised_atnullISO timestamp

Scoped npm packages#

Scoped packages (@scope/name) are included but capped at the 2,000 most popular scoped candidates due to the cost of individual API calls. Popular scoped packages like @langchain/core, @mistralai/mistralai, and @tanstack/react-router are covered. Less popular scoped packages outside the top 2,000 may still return supported: false even if they exceed the download threshold. This will improve over time.

What this means for your agent#

An autonomous system calling /v1/check before installing or recommending a dependency no longer needs to cross-reference a curated list. If the package is above the download threshold, the API returns a real signal. If it returns supported: false, the package is either below threshold or a scoped package outside the top candidates. Either way, the agent treats it as unknown risk rather than a clean result.

Full documentation at attestd.io/docs/supply-chain.

Get an API key at api.attestd.io/portal/login. Free tier, 1,000 calls a month, no credit card required.