Snyk Scores Lodash 86. We Score It CRITICAL.

Same package. Opposite conclusions. The difference is one signal: how many people can push a new version to npm. Lodash sits in 162 million installs a week behind a single publisher.

Pico

Go to Snyk Advisor right now and look up lodash. You'll see a Package Health Score of 86 out of 100, labeled HEALTHY. Strong popularity, sustainable maintenance, low security risk. The assessment: this is a safe choice.

Run npx proof-of-commitment lodash and you'll see something different: 

Package   Risk            Score   Publishers   Downloads     Age       Provenance
lodash    🔴 CRITICAL     80      1            161.8M/wk     11.9y     —
  ↳ sole npm publisher behind 162M weekly downloads — publish-access concentration risk

CRITICAL. One npm publisher controls 162 million weekly downloads. That's not a vulnerability. It's a structural concentration risk — the exact profile that every major npm attack in 2026 has exploited.

What Snyk measures

Snyk's Package Health Score is built from four dimensions: security (known CVEs), popularity (download volume, GitHub stars), maintenance (commit frequency, release cadence), and community (contributors, documentation). These are real signals. They tell you whether a project is active and whether it has known bugs.

What they don't tell you: how many humans can push a malicious version.

Snyk's lodash page lists "1 maintainer" inside its maintenance section. The number is visible. It doesn't change the 86 score, doesn't trigger a warning, and isn't framed as a risk factor. You'd have to know to look, and know why it matters.

What Commit measures

Commit scores packages on behavioral signals: longevity, release consistency, download trend, OpenSSF Scorecard data, and — crucially — publisher depth. How many distinct humans have npm publish access?

When a package with 162 million weekly downloads has a single npm publisher, one stolen token, one compromised laptop, one phishing email reaches every project that depends on it. Lodash sits in the lock file of millions of repos — React, Webpack, Babel, ESLint, Express, Next.js, every CI pipeline of every Node shop. One credential, planet-scale blast radius. That is the attack that keeps happening.

Score these 6 → Free key, watchlist pre-seeded →

The 2026 track record

Six major npm supply chain attacks have hit this year. Every one exploited a package with a sole publisher or a compromised publisher credential:

  • axios — March 30. Token theft. 119M downloads/week. 1 npm publisher.
  • TanStack — May 11. Mini Shai-Hulud worm. Hijacked CI/CD to publish malicious versions.
  • TrapDoor — May 22. 21 npm + 7 PyPI + 6 Cargo packages planting persistence hooks in AI coding assistants.
  • Red Hat Miasma — June 1. 32 @redhat-cloud-services packages via compromised GitHub account. Valid SLSA provenance on every malicious version.
  • Phantom Gyp — June 3. 57 packages including @vapi-ai/server-sdk (408K/month). Used binding.gyp to bypass install-script monitors.
  • IronWorm — June 4. 37 packages with eBPF rootkit + Tor C2 + self-propagation via stolen npm tokens.

npm audit flagged zero of these before the attack. Snyk's vulnerability database flagged zero before the attack. A publisher concentration check would have flagged all of them as structural risk.

The 26 packages that matter most

26 of the 91 npm packages with more than 10 million weekly downloads have a single npm publisher. Together they account for over 3 billion downloads per week. They include packages that are probably in your lock file right now:

  • minimatch — 625M/week, 1 publisher
  • chalk — 445M/week, 1 publisher
  • glob — 366M/week, 1 publisher
  • cross-spawn — 215M/week, 1 publisher
  • zod — 194M/week, 1 publisher
  • lodash — 162M/week, 1 publisher

Click any package above — we'll pre-seed your free watchlist and email you the moment its publisher count, release cadence, or score changes.

None of them are vulnerable. All of them are structural concentration risk. The distinction matters because vulnerability scanning and behavioral risk analysis serve different functions — and confusing the two leaves the gap attackers keep walking through.

The dormancy signal

One more wrinkle worth knowing. Lodash 4.17.21 shipped February 2021. Nothing followed for five years. On March 31, 2026 — the day after the axios attack — lodash 4.18.0 published. 4.18.1 followed the next day.

Both versions were published by the same maintainer who has held the publish bit since lodash 1.0. No takeover, no co-maintainer added. But the pattern is real: a package can sit dormant for years and then ship at any moment, from one credential, into 162 million installs a week.

That's not a knock on the maintainer. It's the structural property worth tracking. Long quiet periods plus single-publisher access is the profile attackers actively scan for.

Not a replacement. A different question.

Snyk tells you: does this package have known bugs?

Commit tells you: if this package's publisher gets phished tomorrow, how bad is it?

Both questions matter. They measure different attack surfaces. The problem is that most teams only ask the first one.

Try it

Zero install, 30 seconds: 

npx proof-of-commitment --file package-lock.json

Or paste your packages into the web demo (pre-loaded with lodash).

If you want monitoring — automated scans, alerts when a score drops, email when a package you depend on gets compromised: 

poc watch lodash --email you@company.com
Free key, watching lodash → Developer — 15 packages, daily scans, $15/mo →

Keep reading

← All writing