OpenSSF Scorecard measures whether a project follows secure development practices. Code review enforcement. Branch protection. SLSA provenance. Dangerous workflow detection.
I've been building getcommit.dev, which measures something different: behavioral commitment signals. Publisher depth. Download concentration. Release consistency. Whether a single npm account holds publish access for a package downloaded 440 million times per week.
Each package audit now returns both scores. The comparison is worth seeing.
The seven CRITICAL packages
These are npm packages with one npm publisher + more than 10 million weekly downloads.
| Package | Behavioral | Scorecard | Downloads/wk | npm publishers |
|---|---|---|---|---|
| chalk | CRITICAL | 3.8/10 | 440M | 1 |
| minimatch | CRITICAL | 6.2/10 | 609M | 1 |
| glob | CRITICAL | 5.5/10 | 358M | 1 |
| lodash | CRITICAL | 7.3/10 | 155M | 1 |
| zod | CRITICAL | 5.1/10 | 142M | 1 |
| axios | CRITICAL | 8.0/10 | 108M | 1 |
| hono | CRITICAL | N/A | 34M | 1 |
npm audit shows zero vulnerabilities on all of them.
Two tools, two attack surfaces
Scorecard answers: Can an attacker compromise this project's development pipeline?
Behavioral signals answer: Can an attacker take over this package by compromising one account?
axios: attacked despite a strong Scorecard
axios scores 8.0/10 on Scorecard. Strong code review, maintained CI, good token permissions. And it was attacked on March 30, 2026.
How? Stolen npm credentials. The Scorecard-measured process security was intact. The attack bypassed CI by publishing directly to npm with a stolen publisher key.
Behavioral signals flagged axios as CRITICAL before the attack. Not because the CI was weak. Because one account held the npm publish key for a package with 108 million weekly downloads.
Since the attack, axios has adopted Trusted Publishing (OIDC provenance). But the publisher concentration hasn't changed.
What this means practically
These scores don't compete. Use them together.
A package with high behavioral risk and low Scorecard is doubly exposed: both the credential attack surface and the process exploitation surface are open.
A package with high behavioral risk but strong Scorecard still carries the credential risk — as the axios attack demonstrated.
npm audit shows you neither.
Top comments (0)