Everyone knows about chalk (422M weekly downloads, 1 maintainer) and axios (100M/wk, 1 maintainer — compromised March 30, 2026). Those are in your package.json . You chose them. But when we ran the 113 most-downloaded npm packages through proof-of-commitment today, the packages that surprised me weren't the ones developers deliberately install. They were the invisible ones — the load-bearing infrastructure nobody chose, nobody monitors, and nobody thinks about. glob: 340 million weekly downloads. You've probably never typed it. $ npx proof-of-commitment glob Package Risk Score Maintainers Downloads/wk Age ──────────────────────────────────────────────────────────────── glob 🔴 CRITICAL 78 1 340M/wk 13.7y Enter fullscreen mode Exit fullscreen mode glob turns file patterns like **/*.ts into file lists. It's in webpack, Jest, ESLint, TypeScript, Vite — every build tool you use. 340 million installs every week. One maintainer for 13 years.…