CRITICAL = sole maintainer + 10M+ weekly downloads. The profile that made axios, chalk, and zod high-value targets before any CVE existed. Updated from npm registry data.
| # | Package | Risk | Score | Downloads/wk | Maintainers | Age | Last release |
|---|---|---|---|---|---|---|---|
npm audit finds known CVEs — vulnerabilities already catalogued in a database.
This scores structural risk before it becomes a CVE. The axios attack (April 1st):
npm audit showed zero issues. Commit flagged it CRITICAL months in advance.
Sole maintainer + 10M+ weekly downloads = high-value target if credentials are stolen or the maintainer goes rogue. Not a verdict — a flag. The LiteLLM attack (March 2026) and axios attack (April 2026) both fit this profile exactly.
Paste your package.json, drop a GitHub repo URL, or use the
audit tool to score your own dependencies. Or add the
GitHub Action
to flag CRITICAL packages on every PR.