When the LiteLLM supply chain attack hit in March 2026, npm audit ran clean. There was nothing to flag. The CVE got filed afterward, after the code shipped, after the bill landed. That's the structural problem with vulnerability scanning. It tells you what's already exploded. What the LiteLLM, axios, and ua-parser-js incidents had in common wasn't a known CVE. It was the publisher profile: one account, millions of weekly downloads, often stale for over a year. That population is identifiable before anything happens. The follow-up I keep getting asked: how do you actually measure it? The metric Two values, summed across the transitive dependency tree: critical_concentration = sum of weekly downloads for every transitive dependency where one npm account holds publish access and weekly downloads exceed 10M. critical_paths = the dependency chains from your direct deps to each critical package. The first maps directly to a credential-compromise attack.…