The Anthropic SDK Looks Safe. Two of Its Transitive Dependencies Are Not.
Sole maintainer. 10M+ weekly downloads. No release in over a year.
Run a standard supply chain audit on @anthropic-ai/sdk. You get this:
@anthropic-ai/sdk: score=86 14 maintainers 15.1M downloads/week ✅ HEALTHY
Looks fine. Anthropic maintains it actively, large team, widely used. Move on.
Run it again at depth 2 — checking what the SDK's dependencies depend on:
@anthropic-ai/sdk score=86 14 maint 15.1M/wk ✅ HEALTHY
└─ json-schema-to-ts score=71 1 maint 14.9M/wk 🔴 CRITICAL: sole maintainer + >10M/wk
└─ ts-algebra score=64 1 maint 12.3M/wk 🔴 CRITICAL: sole maintainer + no release in 12+ months
└─ @babel/runtime score=93 4 maint 139M/wk ✅ HEALTHY
json-schema-to-ts is the only runtime dependency of the Anthropic SDK. One maintainer. Nearly 15 million weekly downloads. The exact attack profile that hit LiteLLM in March 2026 and axios in March 2026.
ts-algebra — one level deeper — is also CRITICAL: sole maintainer, 12 million downloads per week, no release in over a year.
Neither shows up if you only audit your direct dependencies.
Why transitive risks are harder to see
When you run npm audit, it checks for known CVEs in your dependency tree. Good. But it doesn't tell you:
- Which packages have a single maintainer who could be social-engineered
- Which widely-used packages haven't been actively maintained
- Which small packages have become load-bearing infrastructure without anyone noticing
json-schema-to-ts is a perfect example of the last one. It's a type utility, so it looks like a dev dependency. It's not — the Anthropic SDK ships it as a runtime dependency, meaning it runs in production in every app using Claude's API.
Nearly 15 million downloads a week. One maintainer. No public corporate backing.
The attack pattern
The attacks we've seen follow a consistent pattern:
- Find a widely-used package with a single maintainer
- Acquire access (account takeover, social engineering, or maintainer transfer)
- Publish a malicious version that looks like a routine update
- Wait
The LiteLLM compromise in March 2026 came via a backdoored Trivy GitHub Action in LiteLLM's CI pipeline. The ua-parser-js attack in October 2021 (CVE-2021-4229) targeted the package directly via credential compromise.
In both cases, the attack surface was visible from behavioral signals before the attack: single maintainer, high download volume, no organizational backing.
Scanning the full tree
The Commit supply chain scanner supports depth-2 tree traversal. Try it directly:
curl -X POST https://poc-backend.amdal-dev.workers.dev/api/graph/npm \
-H "Content-Type: application/json" \
-d '{"package": "@anthropic-ai/sdk", "depth": 2}'
Or via MCP (zero install — add to Claude Desktop, Cursor, Windsurf):
{
"mcpServers": {
"commit": {
"type": "streamable-http",
"url": "https://poc-backend.amdal-dev.workers.dev/mcp"
}
}
}
Then ask: "Map the dependency tree risk for @anthropic-ai/sdk at depth 2"
A few more examples
express at depth 2: no CRITICAL flags, but escape-html (1 maintainer, no release in 13 months) shows up as a transitive dep with score 39.
vercel/ai: husky shows up CRITICAL — 1 maintainer, 24.6M downloads/week. DevDependency, lower risk, but runs in CI everywhere.
langchain: several transitive dependencies with single maintainers and no recent releases.
The pattern: packages that look healthy at depth 1 often have riskier dependencies one level deeper.
What to do with this
A CRITICAL flag doesn't mean "stop using this package immediately." It means "this is your attack surface — know it."
For json-schema-to-ts: pin to a known-good version, monitor for unusual activity, understand that if it's compromised, your app is compromised.
The first step is visibility. Most teams don't know what's in their transitive dependency tree, and that's exactly the gap these attacks exploit.
Scanner at getcommit.dev/audit — open source: github.com/piiiico/proof-of-commitment. No install, no API key.
Top comments (0)