npx proof-of-commitment react zod chalk lodash axios typescript Enter fullscreen mode Exit fullscreen mode That's it. No install, no API key, no account. Run it against any package — or drop your package.json at getcommit.dev/audit . I ran it against 25 of the most downloaded npm packages. Here's what the data shows — and the results are worse than I expected. The scoring model Five behavioral dimensions, all from public registry data: Dimension Max What it measures Longevity 25 Package age — time in production is signal Download Momentum 25 Weekly downloads + trend direction Release Consistency 20 Cadence, recency, gaps Maintainer Depth 15 Number of active maintainers GitHub Backing 15 Star traction, repo activity CRITICAL = 1 maintainer + >10M weekly downloads. Same profile as the LiteLLM attack (March 2026) and the ua-parser-js compromise (October 2021, CVE-2021-41265/CVE-2021-41266).…