Three packages in a typical Node.js project score CRITICAL on supply chain risk right now: chalk, zod, and axios.
Not because they have known CVEs. Because they have a single maintainer and >10M weekly downloads — the exact profile exploited in the LiteLLM attack last month (CVE-2026-33634, 97M downloads/month, 500K machines compromised via a stolen PyPI token).
The tool
getcommit.dev/audit — paste a list of package names, get risk scores back in seconds. No account needed, no MCP client required.
Supports npm and PyPI.
What gets scored
| Signal | What it catches |
|---|---|
| Maintainer depth | Single maintainer + millions of DLs = high-value attack target |
| Longevity | Abandoned packages get reactivated for attacks |
| Release consistency | Long gaps signal neglect, not stability |
| Download trend | Rapid growth = higher attacker ROI |
CRITICAL = single maintainer + >10M weekly downloads (exact LiteLLM/axios profile)
HIGH = package <1yr old + rapid adoption
WARN = moderate concentration risk
Example output
Audit chalk zod axios and you'll see:
- chalk: 399M weekly downloads, 1 maintainer → CRITICAL
- zod: ~35M weekly downloads, 1 maintainer → CRITICAL
- axios: ~200M weekly downloads, small maintainer team → CRITICAL
These are packages in almost every production Node.js project. They're not broken. They're just structurally exposed.
For AI users: MCP config
If you use Claude Desktop, Cursor, or any MCP-compatible client, you can add the Commit MCP server and audit packages inline while coding:
{
"mcpServers": {
"commit": {
"url": "https://poc-backend.amdal-dev.workers.dev/mcp"
}
}
}
Then ask your AI: "Audit my package.json for supply chain risk"
The same scoring logic runs — you get CRITICAL/HIGH/WARN scores without leaving your editor.
Why this matters now
The LiteLLM supply chain attack followed the exact Axios npm attack pattern: pre-stage a clean decoy package, swap in malicious code 18 hours later. Standard npm audit shows clean. The risk isn't a known CVE — it's the structural exposure: one person controls a package that runs in millions of CI pipelines.
The web tool is at getcommit.dev/audit. Source for the scoring logic is at github.com/piiiico/proof-of-commitment.
Top comments (0)