Gemini JS SDK
npm@google/generative-aiThe Gemini JavaScript SDK provides access to the Google Gemini model family from Node.js and browser environments. It supports multimodal inputs, function calling, and streaming. It is used in web applications and serverless functions that call Gemini for text generation, vision, and code tasks.
Checking Gemini JS SDK
@google/generative-ai 0.17.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.
curl "https://api.attestd.io/v1/check?product=%40google%2Fgenerative-ai&version=0.17.0" \
-H "Authorization: Bearer YOUR_API_KEY"{
"product": "@google/generative-ai",
"version": "0.17.0",
"supported": true,
"risk_state": "none",
"supply_chain": {
"compromised": false,
"sources": [],
"malware_type": null,
"description": null,
"advisory_url": null,
"compromised_at": null,
"removed_at": null
},
"last_updated": "2026-05-01T00:00:00Z"
}Why this package is monitored
Browser-side AI SDK packages run in contexts where API keys may be embedded in bundled JavaScript. A compromised version can read keys from the runtime environment and exfiltrate them on the first API call.
Attestd monitors @google/generative-ai using the following detection sources:
registryManually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.
osvOSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.
npm_deprecationnpm package versions with deprecation messages containing targeted attack language such as malicious, backdoor, or compromised. Confidence 0.80.