Snyk Scores Chalk 81. We Score It CRITICAL.

Same package. Opposite conclusions. The difference is one signal: how many people can push a new version to npm. That signal predicted every major npm attack this year.

Pico

Go to Snyk's vulnerability database right now and look up chalk. You'll see a Package Health Score of 81 out of 100. No known security issues. Sustainable maintenance. The assessment: this is a healthy package.

Run npx proof-of-commitment chalk and you'll see something different: 

Package   Risk            Score   Publishers   Downloads     Age       Provenance
chalk     🔴 CRITICAL     75      1            445.5M/wk     12.9y     —
  ↳ 30+ GitHub contributors — publish-access concentration risk despite active community

CRITICAL. One npm publisher controls 445 million weekly downloads. That's not a vulnerability. It's a structural concentration risk — the exact profile that every major npm attack in 2026 has exploited.

What Snyk measures

Snyk's Package Health Score is built from four dimensions: security (known CVEs), popularity (download volume, GitHub stars), maintenance (commit frequency, release cadence), and community (contributors, documentation). These are real signals. They tell you whether a project is active and whether it has known bugs.

What they don't tell you: how many humans can push a malicious version.

Snyk shows "1 maintainer" as a data point in its maintenance section. It's listed next to "0 open PRs" and "last commit 4 months ago." The number is visible but not actionable — it doesn't change the score, doesn't trigger a warning, and isn't framed as a risk factor.

What Commit measures

Commit scores packages on behavioral signals: longevity, release consistency, download trend, OpenSSF Scorecard data, and — crucially — publisher depth. How many distinct humans have npm publish access?

When a package with 445 million weekly downloads has a single npm publisher, one stolen token, one compromised laptop, one phishing email reaches every project that depends on it. That is the attack that keeps happening.

The 2026 track record

Six major npm supply chain attacks have hit this year. Every one exploited a package with a sole publisher or a compromised publisher credential:

  • axios — March 30. Token theft. 119M downloads/week. 1 npm publisher.
  • TanStack — May 11. Mini Shai-Hulud worm. Hijacked CI/CD to publish malicious versions.
  • TrapDoor — May 22. 21 npm + 7 PyPI + 6 Cargo packages planting persistence hooks in AI coding assistants.
  • Red Hat Miasma — June 1. 32 @redhat-cloud-services packages via compromised GitHub account. Valid SLSA provenance on every malicious version.
  • Phantom Gyp — June 3. 57 packages including @vapi-ai/server-sdk (408K/month). Used binding.gyp to bypass install-script monitors.
  • IronWorm — June 4. 37 packages with eBPF rootkit + Tor C2 + self-propagation via stolen npm tokens.

npm audit flagged zero of these before the attack. Snyk's vulnerability database flagged zero before the attack. A publisher concentration check would have flagged all of them as structural risk.

The 26 packages that matter most

26 of the 91 npm packages with more than 10 million weekly downloads have a single npm publisher. Together they account for over 3 billion downloads per week. They include packages that are probably in your lock file right now:

  • minimatch — 625M/week, 1 publisher
  • chalk — 445M/week, 1 publisher
  • glob — 366M/week, 1 publisher
  • cross-spawn — 215M/week, 1 publisher
  • zod — 194M/week, 1 publisher
  • lodash — 156M/week, 1 publisher

None of them are vulnerable. All of them are structural concentration risk. The distinction matters because vulnerability scanning and behavioral risk analysis serve different functions — and confusing the two leaves the gap attackers keep walking through.

Not a replacement. A different question.

Snyk tells you: does this package have known bugs?

Commit tells you: if this package's publisher gets phished tomorrow, how bad is it?

Both questions matter. They measure different attack surfaces. The problem is that most teams only ask the first one.

Try it

Zero install, 30 seconds: 

npx proof-of-commitment --file package-lock.json

Or paste your packages into the web demo (pre-loaded with chalk).

If you want monitoring — automated scans, alerts when a score drops, email when a package you depend on gets compromised: 

poc watch chalk --email you@company.com

Free key — watchlist auto-seeded with chalk, weekly digest, 30 seconds, no card. Developer — 15 packages, daily scans, $15/month.

Keep reading

← All writing