Blockchain Dependency Risk Report 2025
Blockchain Dependency Intelligence
The npm packages<br>quietly breaking<br>your Web3 stack
An analysis of 200 blockchain-adjacent npm packages against deprecation status, CVE coverage gaps, and hijack exposure β quantifying the risk hiding in your node_modules.
21.2%
of top npm packages are effectively deprecated
2.1B
weekly installs of deprecated packages, globally
23
crypto malicious campaigns in open-source repos in 2024
dominant blockchain-native dependency scanner exists today
01<br>Three threat vectors
β οΈ<br>Package hijacking via abandoned maintainers
When a maintainer deprecates rather than remediates, the npm name becomes a prime takeover target. Attackers register typosquats or claim abandoned scopes and inject malicious code into packages with millions of weekly downloads.
Example: bnb-javascript-sdk-nobroadcast β unpublished 4 years, then hijacked with injected malware in 2024.
π³οΈ<br>CVE-blind spots in archived repos
Many blockchain package vulnerabilities never get assigned a CVE. Generic scanners like Snyk and Socket rely on CVE databases and miss protocol-layer issues: ABI drift, RPC version mismatches, chain-fork incompatibilities.
Scanner gap: 0 of the top 5 security SaaS products model blockchain protocol-layer semantics.
π<br>Forced migrations with no tooling
VeChain deprecated all standalone npm packages as of December 31, 2024. Web3.js is in maintenance-only mode as Viem/Ethers v6 supplant it. Enterprise teams absorb migration debt manually β no commercial codemod tooling exists for blockchain SDK transitions.
Scale: Web3.js alone has ~4M weekly downloads still depending on a transitioning package.
02<br>Package risk index
Top 200 blockchain-adjacent npm packages scored across deprecation status, days since last commit, dependent count, CVE coverage, and maintainer health. Score = lower is safer (0β100).
Package<br>Weekly DLs<br>Last Commit<br>Risk Level<br>Risk Score<br>Primary Vector
web3<br>3.9M<br>8 months ago<br>HIGH
72
Migration pressure, maintenance mode
@solana/web3.js<br>1.2M<br>2 months ago<br>MEDIUM
45
v2.0 breaking migration underway
ethers<br>4.1M<br>1 month ago<br>LOW
28
Active, v5βv6 fragmentation risk
truffle<br>180K<br>14 months ago<br>CRITICAL
91
Officially deprecated, no successor
@vechain/connex<br>22K<br>18 months ago<br>CRITICAL
88
Sunset Dec 2024, orphaned
viem<br>2.8M<br>2 weeks ago<br>WATCH
18
Rapid growth, API surface still expanding
hardhat<br>890K<br>3 weeks ago<br>LOW
22
Active, well-maintained
@openzeppelin/contracts<br>1.1M<br>6 weeks ago<br>LOW
19
Active, version fragmentation
bnb-javascript-sdk<br>44K<br>4 years ago<br>CRITICAL
97
Hijacked 2024, malware injected
π 193 more packages in the full report β enter your email above to unlock
03<br>Incident timeline
Dec 31, 2024
VeChain consolidation β 9 packages orphaned overnight
VeChain ceased updates to all non-SDK npm repositories, consolidating standalone packages into a single new SDK. Teams with production dependencies on the old packages received no automated migration path.
Q3βQ4 2024
23 crypto malicious campaigns documented in open-source
Security researchers documented a surge in targeted supply-chain attacks against blockchain npm packages. Attackers exploited maintainer abandonment to inject code targeting wallet seed phrases and private keys.
2024
bnb-javascript-sdk-nobroadcast hijacked
A package dormant for 4 years was claimed and published with injected malware. The package had significant download counts from automated CI pipelines that never pinned versions.
2023βongoing
Web3.js enters maintenance mode; Viem/Ethers v6 capture momentum
The dominant EVM interaction library shifted to maintenance-only. The ecosystem fractured across ethers v5, ethers v6, and viem β leaving millions of weekly downloads on varying migration timelines with no tooling support.
2022
Truffle officially deprecated after Consensys wind-down
Once the most downloaded Solidity development framework, Truffle lost active maintenance after the broader Consensys restructuring. 180K weekly downloads continue flowing through a deprecated package with no successor migration guide.
04<br>Market gaps
Tier A β Immediate
Blockchain dependency intelligence SaaS
Continuous health scoring, CVE-gap alerting, and chain-fork compatibility checks. Targets enterprise teams already paying Snyk/Socket but missing protocol-layer semantics entirely. First-mover in an unoccupied category.
AI Score 88<br>Low competition<br>Clear buyer
Tier A β Immediate
Automated migration tooling (Web3.js β Viem)
Codemod engine for blockchain SDK deprecations. Dependency graph rewiring, import rewriting, ABI compatibility checking. Enterprises with 100k+ line EVM codebases will pay for automated migration vs. manual rewrites.
Clear demand signal<br>Enterprise pricing<br>No incumbent
Tier B β 6 months
Package rescue as a service
Formally adopt, audit, and maintain high-download orphaned blockchain packages under an SLA. Monetize via protocol foundations who need confidence...