LangChain

registryPyPI

package namelangchain

maintainerLangChain AI

LangChain is the most widely used Python framework for building LLM-powered applications, providing abstractions for chains, agents, memory, tools, and retrieval-augmented generation. It acts as the integration layer connecting language models to databases, APIs, vector stores, and external services. Production deployments frequently grant LangChain agents broad filesystem and network access.

api usage

Checking LangChain

langchain 0.3.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=langchain&version=0.3.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "langchain",
  "version": "0.3.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

Agent orchestration frameworks execute model-returned tool calls and code; a backdoored version can invoke those hooks to exfiltrate secrets, pivot through connected services, or poison the retrieval pipeline feeding subsequent requests.

Attestd monitors langchain using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

pypi_yank

Versions yanked on PyPI with a security-related yanked_reason annotation. Confidence 0.80.

Supply chain overview All PyPI packages LangChain Core LangGraph OpenAI SDK (Python)Anthropic SDK (Python)Response fields