Blockchain Dependency Intelligence

The npm packages
quietly breaking
your Web3 stack

An analysis of 200 blockchain-adjacent npm packages against deprecation status, CVE coverage gaps, and hijack exposure — quantifying the risk hiding in your node_modules.

Three threat vectors

☠️

Package hijacking via abandoned maintainers

When a maintainer deprecates rather than remediates, the npm name becomes a prime takeover target. Attackers register typosquats or claim abandoned scopes and inject malicious code into packages with millions of weekly downloads.

Example: bnb-javascript-sdk-nobroadcast — unpublished 4 years, then hijacked with injected malware in 2024.

🕳️

CVE-blind spots in archived repos

Many blockchain package vulnerabilities never get assigned a CVE. Generic scanners like Snyk and Socket rely on CVE databases and miss protocol-layer issues: ABI drift, RPC version mismatches, chain-fork incompatibilities.

Scanner gap: 0 of the top 5 security SaaS products model blockchain protocol-layer semantics.

🔄

Forced migrations with no tooling

VeChain deprecated all standalone npm packages as of December 31, 2024. Web3.js is in maintenance-only mode as Viem/Ethers v6 supplant it. Enterprise teams absorb migration debt manually — no commercial codemod tooling exists for blockchain SDK transitions.

Scale: Web3.js alone has ~4M weekly downloads still depending on a transitioning package.

Package risk index

Top 200 blockchain-adjacent npm packages scored across deprecation status, days since last commit, dependent count, CVE coverage, and maintainer health. Score = lower is safer (0–100).

Package	Weekly DLs	Last Commit	Risk Level	Risk Score	Primary Vector
web3	3.9M	8 months ago	HIGH	72	Migration pressure, maintenance mode
@solana/web3.js	1.2M	2 months ago	MEDIUM	45	v2.0 breaking migration underway
ethers	4.1M	1 month ago	LOW	28	Active, v5→v6 fragmentation risk
truffle	180K	14 months ago	CRITICAL	91	Officially deprecated, no successor
@vechain/connex	22K	18 months ago	CRITICAL	88	Sunset Dec 2024, orphaned
viem	2.8M	2 weeks ago	WATCH	18	Rapid growth, API surface still expanding
hardhat	890K	3 weeks ago	LOW	22	Active, well-maintained
@openzeppelin/contracts	1.1M	6 weeks ago	LOW	19	Active, version fragmentation
bnb-javascript-sdk	44K	4 years ago	CRITICAL	97	Hijacked 2024, malware injected
🔒 193 more packages in the full report — enter your email above to unlock

Incident timeline

Dec 31, 2024

VeChain consolidation — 9 packages orphaned overnight

VeChain ceased updates to all non-SDK npm repositories, consolidating standalone packages into a single new SDK. Teams with production dependencies on the old packages received no automated migration path.

Q3–Q4 2024

23 crypto malicious campaigns documented in open-source

Security researchers documented a surge in targeted supply-chain attacks against blockchain npm packages. Attackers exploited maintainer abandonment to inject code targeting wallet seed phrases and private keys.

2024

bnb-javascript-sdk-nobroadcast hijacked

A package dormant for 4 years was claimed and published with injected malware. The package had significant download counts from automated CI pipelines that never pinned versions.

2023–ongoing

Web3.js enters maintenance mode; Viem/Ethers v6 capture momentum

The dominant EVM interaction library shifted to maintenance-only. The ecosystem fractured across ethers v5, ethers v6, and viem — leaving millions of weekly downloads on varying migration timelines with no tooling support.

2022

Truffle officially deprecated after Consensys wind-down

Once the most downloaded Solidity development framework, Truffle lost active maintenance after the broader Consensys restructuring. 180K weekly downloads continue flowing through a deprecated package with no successor migration guide.

Market gaps

Tier A — Immediate

Blockchain dependency intelligence SaaS

Continuous health scoring, CVE-gap alerting, and chain-fork compatibility checks. Targets enterprise teams already paying Snyk/Socket but missing protocol-layer semantics entirely. First-mover in an unoccupied category.

AI Score 88 Low competition Clear buyer

Tier A — Immediate

Automated migration tooling (Web3.js → Viem)

Codemod engine for blockchain SDK deprecations. Dependency graph rewiring, import rewriting, ABI compatibility checking. Enterprises with 100k+ line EVM codebases will pay for automated migration vs. manual rewrites.

Clear demand signal Enterprise pricing No incumbent

Tier B — 6 months

Package rescue as a service

Formally adopt, audit, and maintain high-download orphaned blockchain packages under an SLA. Monetize via protocol foundations who need confidence their old SDKs don't become attack vectors during long migrations.

Medium effort Protocol budgets Trust moat

Tier B — Near-term

Viem ecosystem tooling

Fastest-growing EVM library with the best TypeScript ergonomics. Tooling is still sparse. wagmi-compatible component libraries, Next.js starter SaaS templates, or a hosted contract interaction studio for product teams moving off Web3.js.

AI Score 88 Low risk Developer market

Full Report — 200 packages

Get the complete risk index

193 more packages scored. CVE gap analysis, maintainer health breakdown, and a recommended audit checklist for your node_modules.

Get the Full Report →

No spam. One report, then updates when the index refreshes monthly.

Methodology

Packages were selected from the top 50K npm registry by download count and filtered for blockchain-adjacent keywords (web3, eth, solana, evm, defi, nft, wallet, crypto, chain, rpc, abi). Each was scored on five dimensions:

35%

Weekly downloads

25%

Staleness

20%

Dependents

10%

Domain specificity

10%

Deprecation status