Skip to content

npm Supply Chain Attacks: How AI Coding Tools Create Vulnerabilities

When Cursor or Claude suggests a package that doesn't exist, attackers register it as malware. Here's how to find and fix supply chain vulnerabilities in your app.

The AI hallucination attack vector

AI coding assistants are trained on code from across the internet. Sometimes they suggest packages that don't exist — they've seen similar package names in training data and extrapolate. This is called an AI hallucination.

Attackers monitor for these hallucinated package names and register them on npm with malicious code. When a developer installs the suggested package, they install malware.

Known examples of packages AI assistants have hallucinated that attackers registered:

  • @anthropic/sdk (real: @anthropic-ai/sdk)
  • react-server-dom-webpack variants
  • next-auth-providers (real: next-auth)

Typosquatting: one letter off from real packages

Typosquatting is a separate but related attack. Attackers register packages with names one or two characters different from popular packages, hoping developers make typos when installing.

With AI coding tools, this risk is amplified — the AI might suggest the typosquatted name directly.

Known typosquats to watch for
axoisaxios
lodahslodash
expresexpress
recatreact
momnetmoment
crossenvcross-env
babelclibabel-cli
node-uuiduuid

How to audit your dependencies

1. Run npm audit

npm audit
# or
npm audit --audit-level=high

This checks your installed packages against the npm advisory database for known CVEs. Fix critical and high severity issues before deploying.

2. Check package download counts

Legitimate packages have download histories. A package with 0 downloads or that was created last week is suspicious.

# Check package info
npm info package-name

# Check weekly downloads
curl https://api.npmjs.org/downloads/point/last-week/package-name

3. Verify package maintainers

Check that the package is maintained by the organization you expect. @anthropic-ai/sdk should be maintained by Anthropic. If the maintainer is an unknown individual, be suspicious.

4. Check for install scripts

# View package.json of an installed package
cat node_modules/package-name/package.json | grep -A5 '"scripts"'

Malicious packages often use postinstall scripts to execute code when installed. Legitimate packages rarely need install scripts.

Preventing supply chain attacks going forward

  • Always verify package names before installing — check npmjs.com directly
  • Use npm ci instead of npm install in CI/CD to use the lockfile exactly
  • Enable Dependabot or Renovate for automated dependency updates
  • When an AI suggests a package you don't recognize, search for it on npm before installing
  • Consider using Socket.dev or Vezraa to scan your dependencies automatically

Scan your dependencies for typosquats and CVEs.

Start Scanning →

Related articles

npm Supply Chain Attacks: AI Tools & Security | Vezraa