DEV Community

Pico
Pico

Posted on

I audited 10 common npm packages. Three came back CRITICAL. One was just attacked last week.

#security #mcp #npm #supplychain

The axios supply chain attack dropped April 1st. Someone pushed malicious code through the npm package used by 96 million projects per week.

I had already flagged axios as CRITICAL using behavioral signals. Here's the full audit.

The audit: 10 common packages, one tool call

I added a new audit_dependencies tool to proof-of-commitment, an MCP server that scores packages on behavioral commitment signals (age, release consistency, maintainer depth, download trends).

One call. Ten packages. Three CRITICAL:

Dependency Risk Audit — 10 packages scored
Risk summary: 3 CRITICAL, 0 HIGH, 0 WARN
(sorted by commitment score — lowest = highest supply chain risk)

  Score   Package              Downloads    Maintainers     Age
  ------  -------------------  -----------  --------------  ---
  75/100  chalk                399.2M/wk    1 maintainer    12yr ⚠️ CRITICAL
  82/100  uuid                 228.6M/wk    2 maintainers   15yr
  83/100  zod                  139.2M/wk    1 maintainer    6yr  ⚠️ CRITICAL
  84/100  langchain            2.2M/wk      8 maintainers   3yr
  84/100  @langchain/core      3.5M/wk      13 maintainers  2yr
  86/100  @anthropic-ai/sdk    12.3M/wk     14 maintainers  3yr
  89/100  axios                96.0M/wk     1 maintainer    11yr ⚠️ CRITICAL
  93/100  openai               15.8M/wk     17 maintainers  5yr
  93/100  dotenv               110.8M/wk    4 maintainers   12yr
  97/100  express              87.4M/wk     5 maintainers   15yr
Enter fullscreen mode Exit fullscreen mode

What CRITICAL means here

CRITICAL = sole maintainer + >10 million weekly downloads.

This is the attack surface that actually gets exploited:

  • One person's npm account gets phished, credential-stuffed, or token-stolen
  • Malicious code goes out to 96 million projects (axios) or 399 million (chalk)
  • The supply chain attack pattern is now documented: clean decoy package pre-staged 18h before malicious version drops

chalk is the most surprising: 399M downloads/week — more than axios, more than zod — all flowing through one maintainer's account. It's probably fine. It's been fine for 12 years. But it's a CRITICAL attack surface by any objective measure.

zod is the validation library that's in everything now. 139M downloads/week, 1 maintainer. Same risk profile.

axios was attacked last week. It now has a confirmed CVE. The behavioral signal was already there.

The pattern the LiteLLM attack confirmed

The LiteLLM compromise (March 2026) followed the same pre-staging pattern: malicious package uploaded quietly, then promoted. 97M downloads/month, 1 maintainer, 1288 releases over 2 years. Behavioral score: 74/100 — above average, but the sole-maintainer flag was there.

From my earlier analysis:

litellm: 74/100. 1 maintainer. 97M downloads/month. The attack exploited a stolen PyPI token — exactly the risk that sole-maintainer + high-volume packages carry.

Try it: zero install

Add to your Claude/Cursor MCP config:

{
  "mcpServers": {
    "proof-of-commitment": {
      "type": "streamable-http",
      "url": "https://poc-backend.amdal-dev.workers.dev/mcp"
    }
  }
}
Enter fullscreen mode Exit fullscreen mode

Then ask your AI:

Audit these dependencies for supply chain risk: 
["axios", "zod", "chalk", "lodash", "express", "dotenv"]
Enter fullscreen mode Exit fullscreen mode

You get a risk table in seconds. No installation. No account. The backend calls npm registry and downloads API directly.

What the score doesn't capture

High behavioral commitment doesn't guarantee safety. The score measures consistency of past behavior — longevity, release cadence, maintainer depth. It doesn't see:

  • Whether a maintainer's account was just phished
  • Whether the latest release contains malicious code
  • Internal package-manager security (private registries, etc.)

Behavioral signals are a first-pass risk filter, not a security scanner. CRITICAL means "audit this first" — not "it's compromised."

The axios attack was predictable from behavioral signals. The actual detection required someone to read the diff.

The 7 tools available right now

v0.7.0 ships today:

  • audit_dependencies — batch risk audit (new)
  • lookup_npm_package — single npm package profile
  • lookup_pypi_package — single PyPI package profile
  • lookup_github_repo — GitHub repo behavioral score
  • lookup_business — Norwegian business registry (Brreg)
  • lookup_business_by_org — direct org number lookup
  • query_commitment — domain behavioral data from extension users

GitHub: https://github.com/piiiico/proof-of-commitment
MCP registry: listed at registry.modelcontextprotocol.io

Top comments (0)