npm Supply Chain Attacks: How AI Coding Tools Create Vulnerabilities
When Cursor or Claude suggests a package that doesn't exist, attackers register it as malware. Here's how to find and fix supply chain vulnerabilities in your app.
The AI hallucination attack vector
AI coding assistants are trained on code from across the internet. Sometimes they suggest packages that don't exist — they've seen similar package names in training data and extrapolate. This is called an AI hallucination.
Attackers monitor for these hallucinated package names and register them on npm with malicious code. When a developer installs the suggested package, they install malware.
Known examples of packages AI assistants have hallucinated that attackers registered:
@anthropic/sdk(real:@anthropic-ai/sdk)react-server-dom-webpackvariantsnext-auth-providers(real:next-auth)
Typosquatting: one letter off from real packages
Typosquatting is a separate but related attack. Attackers register packages with names one or two characters different from popular packages, hoping developers make typos when installing.
With AI coding tools, this risk is amplified — the AI might suggest the typosquatted name directly.
How to audit your dependencies
1. Run npm audit
npm audit # or npm audit --audit-level=high
This checks your installed packages against the npm advisory database for known CVEs. Fix critical and high severity issues before deploying.
2. Check package download counts
Legitimate packages have download histories. A package with 0 downloads or that was created last week is suspicious.
# Check package info npm info package-name # Check weekly downloads curl https://api.npmjs.org/downloads/point/last-week/package-name
3. Verify package maintainers
Check that the package is maintained by the organization you expect. @anthropic-ai/sdk should be maintained by Anthropic. If the maintainer is an unknown individual, be suspicious.
4. Check for install scripts
# View package.json of an installed package cat node_modules/package-name/package.json | grep -A5 '"scripts"'
Malicious packages often use postinstall scripts to execute code when installed. Legitimate packages rarely need install scripts.
Preventing supply chain attacks going forward
- Always verify package names before installing — check npmjs.com directly
- Use
npm ciinstead ofnpm installin CI/CD to use the lockfile exactly - Enable Dependabot or Renovate for automated dependency updates
- When an AI suggests a package you don't recognize, search for it on npm before installing
- Consider using Socket.dev or Vezraa to scan your dependencies automatically
Scan your dependencies for typosquats and CVEs.
Start Scanning →