Everyone knows about chalk (422M weekly downloads, 1 maintainer) and axios (100M/wk, 1 maintainer — compromised March 30, 2026). Those are in your package.json. You chose them.
But when we ran the 113 most-downloaded npm packages through proof-of-commitment today, the packages that surprised me weren't the ones developers deliberately install. They were the invisible ones — the load-bearing infrastructure nobody chose, nobody monitors, and nobody thinks about.
glob: 340 million weekly downloads. You've probably never typed it.
$ npx proof-of-commitment glob
Package Risk Score Maintainers Downloads/wk Age
────────────────────────────────────────────────────────────────
glob 🔴 CRITICAL 78 1 340M/wk 13.7y
glob turns file patterns like **/*.ts into file lists. It's in webpack, Jest, ESLint, TypeScript, Vite — every build tool you use. 340 million installs every week. One maintainer for 13 years.
If you don't have glob in your package.json, you almost certainly have it in your package-lock.json. Pulled in three or four levels deep through tools you do have in your package.json.
cross-spawn: 190 million weekly downloads. Used by your package manager.
$ npx proof-of-commitment cross-spawn
Package Risk Score Maintainers Downloads/wk Age
───────────────────────────────────────────────────────────────────
cross-spawn 🔴 CRITICAL 72 1 190M/wk 10.9y
cross-spawn makes Node.js child process spawning work on Windows. npm uses it. yarn uses it. Your testing framework uses it. 190 million downloads a week. One maintainer. Score of 72, which puts it in the riskier tier of CRITICAL packages.
The attack pattern is known: acquire publish access, push a malicious version that runs at build time. Every developer running npm install anywhere in the world is a potential target.
@types/node: 316 million weekly downloads. It's "just types."
$ npx proof-of-commitment @types/node
Package Risk Score Maintainers Downloads/wk Age
───────────────────────────────────────────────────────────────────
@types/node 🔴 CRITICAL 88 1 316M/wk 11.8y
This one gets dismissed most often: "it's just TypeScript types, not runtime code." Technically true for most uses. But @types/node is installed in millions of production build pipelines — CI/CD systems, Docker containers, development environments that build the production artifact.
A compromised @types/node version wouldn't affect runtime behavior. It would affect build time — every system running npm install before compiling and deploying. That includes your CI/CD pipeline. That includes the environment that packages and ships your app.
316 million weekly downloads. One maintainer.
The full CRITICAL list: 26 packages, 10.3B weekly downloads
We scored 113 packages. These 26 came back CRITICAL (sole maintainer, >10M weekly downloads):
| Package | Downloads/wk | Score |
|---|---|---|
| chalk | 422M | 75 |
| glob | 340M | 78 |
| @types/node | 316M | 88 |
| esbuild | 216M | 85 |
| cross-spawn | 190M | 72 |
| zod | 163M | 82 |
| inherits | 157M | 64 |
| lodash | 149M | 84 |
| rimraf | 138M | 77 |
| mkdirp | 120M | 72 |
| @types/react | 117M | 88 |
| once | 114M | 68 |
| axios | 100M | 86 |
| date-fns | 84M | 78 |
| chai | 70M | 80 |
| sharp | 59M | 81 |
| dayjs | 47M | 81 |
| bluebird | 44M | 77 |
| got | 34M | 85 |
| ejs | 31M | 80 |
| archiver | 25M | 74 |
| cross-env | 18M | 70 |
| crypto-js | 16M | 70 |
| nodemon | 12M | 83 |
| unzipper | 11M | 73 |
| yup | 11M | 72 |
Full interactive table at getcommit.dev/rankings. Data pulled from npm registry April 29, 2026.
What "CRITICAL" means and what it doesn't
CRITICAL = sole maintainer + >10M weekly downloads. That's the structural profile shared by ua-parser-js before October 2021 (sole maintainer, ~8M/wk, credentials compromised, malicious versions published — CVE-2021-41265/CVE-2021-41266). Same profile as axios in March 2026 (100M/wk, sole maintainer, North Korea-linked group UNC1069 via stolen npm token).
What it doesn't mean: that the maintainer is careless, or that the package will be attacked. Isaac Z. Schlueter has maintained some of these packages for over a decade. They're excellent software. The risk is structural, not personal — one person's credentials are the only barrier between 340 million weekly installs and a malicious publish.
npm audit showed zero issues on axios for its entire history. The structural signal existed before the attack. It just wasn't surfaced.
Check your own lock file
Zero install, runs against your actual resolved dep tree:
npx proof-of-commitment --file package-lock.json
# or yarn.lock / pnpm-lock.yaml
Or try the browser demo — drop your lock file and it parses all transitive dependencies.
The CRITICAL packages in your tree aren't necessarily ones you'll recognize. That's the point.
proof-of-commitment is open source. The scanner at getcommit.dev/audit requires no install, no API key, no account.
Top comments (0)