
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
TypeScript LLM client with streaming tool execution. Tools fire mid-stream. Built-in function calling works with any model—no structured outputs or native tool support required.
Streaming-first multi-provider LLM client in TypeScript with home-made tool calling.
llmist implements its own tool calling syntax called "gadgets" - tools execute the moment their block is parsed, not after the response completes. Works with any model that can follow instructions.
npm install llmist
import { Gadget, LLMist, z } from 'llmist';
// Define a gadget (tool) with Zod schema
class Calculator extends Gadget({
description: 'Performs arithmetic operations',
schema: z.object({
operation: z.enum(['add', 'subtract', 'multiply', 'divide']),
a: z.number(),
b: z.number(),
}),
}) {
execute(params: this['params']): string {
const { operation, a, b } = params;
switch (operation) {
case 'add': return String(a + b);
case 'subtract': return String(a - b);
case 'multiply': return String(a * b);
case 'divide': return String(a / b);
}
}
}
// Run the agent
const answer = await LLMist.createAgent()
.withModel('sonnet')
.withGadgets(Calculator)
.askAndCollect('What is 15 times 23?');
console.log(answer);
Attach MCP servers to an agent with the same gadget execution pipeline as native tools:
const answer = await LLMist.createAgent()
.withModel('sonnet')
.withMcpServer({
name: 'filesystem',
transport: 'stdio',
command: 'npx',
args: ['-y', '@modelcontextprotocol/server-filesystem', '/tmp'],
timeoutMs: 30000,
})
.askAndCollect('List files in /tmp');
llmist also exports createMcpServer({ gadgets, skills }) so applications can publish native gadgets as MCP tools and skills as MCP prompts.
Set one of these environment variables:
export OPENAI_API_KEY="sk-..."
export ANTHROPIC_API_KEY="sk-ant-..."
export GEMINI_API_KEY="..."
export HF_TOKEN="hf_..."
Use model aliases for convenience:
.withModel('sonnet') // Claude 3.5 Sonnet
.withModel('opus') // Claude Opus 4
.withModel('gpt4o') // GPT-4o
.withModel('flash') // Gemini 2.0 Flash
Full documentation at llmist.dev
See the examples directory for runnable examples covering all features.
@llmist/cli - Command-line interface@llmist/testing - Testing utilities and mocksMIT
FAQs
TypeScript LLM client with streaming tool execution. Tools fire mid-stream. Built-in function calling works with any model—no structured outputs or native tool support required.
The npm package llmist receives a total of 534 weekly downloads. As such, llmist popularity was classified as not popular.
We found that llmist demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.