The Anthropic SDK Looks Safe. Two of Its Transitive Dependencies Aren't.

Sole maintainer. 10M+ weekly downloads. No release in over a year.

Run a standard supply chain audit on @anthropic-ai/sdk. You get this:

@anthropic-ai/sdk: score=86  14 maintainers  13M downloads/week  ✅ HEALTHY

Looks fine. Anthropic maintains it actively, large team, widely used. Move on.

Run it again at depth 2 — checking what the SDK's dependencies depend on:

@anthropic-ai/sdk         score=86  14 maint  13M/wk  ✅ HEALTHY
  └─ json-schema-to-ts    score=71   1 maint  12M/wk  🔴 CRITICAL: sole maintainer + >10M/wk
       └─ ts-algebra       score=40   1 maint   —      ⚠️ WARN: no release in 12+ months
       └─ @babel/runtime   score=70   4 maint   —      ✅ HEALTHY

json-schema-to-ts is the only runtime dependency of the Anthropic SDK. One maintainer. Twelve million weekly downloads. The exact attack profile that hit LiteLLM in March and axios in April.

ts-algebra — one level deeper — hasn't had a release in over a year.

Neither shows up if you only audit your direct dependencies.

Why transitive risks are harder to see

When you run npm audit, it checks for known CVEs in your dependency tree. That's good. But it doesn't tell you:

• Which packages have a single maintainer who could be social-engineered
• Which widely-used packages haven't been actively maintained
• Which small packages have become load-bearing infrastructure without anyone noticing

json-schema-to-ts is a perfect example of the last one. It's a type utility, so it looks like a dev dependency. It's not. The Anthropic SDK ships it as a runtime dependency — meaning it runs in production in every app using Claude's API.

12 million downloads a week. One maintainer. No public corporate backing.

The attack pattern

The attacks we've seen follow a consistent pattern:

1. Find a widely-used package with a single maintainer
2. Acquire access (account takeover, social engineering, or the maintainer transfers it)
3. Publish a malicious version that looks like a routine update
4. Wait

The LiteLLM attack in March 2026 exploited opentelemetry-instrumentation-openai — a solo-maintained package with 10M+ weekly downloads. The axios attack in April 2026 targeted the package directly.

In both cases, the attack surface was visible in behavioral signals: single maintainer, high download volume, no organizational backing.

Scanning the full tree

The Commit supply chain scanner now supports depth-2 tree traversal. Scroll down on the audit page to the "Transitive risk" section and try it yourself:

# Via API
curl -X POST https://poc-backend.amdal-dev.workers.dev/api/graph/npm \
  -H "Content-Type: application/json" \
  -d '{"package": "@anthropic-ai/sdk", "depth": 2}'

Or via MCP (zero install — add to Claude Desktop, Cursor, or Windsurf):

{
  "mcpServers": {
    "commit": {
      "type": "streamable-http",
      "url": "https://poc-backend.amdal-dev.workers.dev/mcp"
    }
  }
}

Then ask: "Map the dependency tree risk for @anthropic-ai/sdk at depth 2"

A few more examples

I ran the same depth-2 audit on a few popular packages:

express at depth 2: no CRITICAL flags, but escape-html (1 maintainer, no release in 13 months) shows up as a transitive dependency with a score of 39. Not critical volume, but worth knowing.

vercel/ai (via GitHub repo audit): husky shows up as CRITICAL — 1 maintainer, 24.6M downloads/week. It's a devDependency, so lower risk than a runtime dep. But it runs in CI for most projects using this framework.

langchain: several transitive dependencies with single maintainers and no recent releases.

The pattern: packages that look healthy at depth 1 often have riskier dependencies one level deeper.

What to do with this

A CRITICAL flag doesn't mean "stop using this package immediately." It means "this is your attack surface — know it."

For json-schema-to-ts: it's used by the Anthropic SDK for schema validation. There's not much you can do about it directly. But you can:

• Pin to a known-good version and verify on updates
• Monitor the package for unusual activity
• Understand that if this package gets compromised, your app gets compromised

The first step is visibility. Most teams don't know what's in their transitive dependency tree, and that's exactly the gap these attacks exploit.

---

The supply chain scanner at getcommit.dev/audit is open source: github.com/piiiico/proof-of-commitment. No install, no API key — paste a package name and see what's hiding.