I spent last week writing about npm supply chain risk . Then I ran the same analysis on Python. The findings are different. In some ways worse. The setup I built a tool called Proof of Commitment that scores packages on behavioral signals: publisher depth, download momentum, release consistency, age. "Publisher depth" is the critical one — how many people have PyPI publish access? A package with one publisher and 300M weekly downloads is structurally fragile in a specific way: one compromised account enables a malicious publish to that entire install base. For npm, the notable CRITICALs are things like chalk (413M/wk, 1 publisher), minimatch (581M/wk, 1 publisher), axios (99M/wk, 1 publisher). These are severe. But they're visible — developers at least know they're using chalk. What I found in Python is different.…