{"slug": "one-npm-account-publishes-964-million-downloads-per-week-none-have-provenance", "title": "One npm Account Publishes 964 Million Downloads Per Week. None Have Provenance.", "summary": "The npm account 'ai' publishes seven packages that collectively receive 964 million weekly downloads, yet none have npm provenance attestations. This single-publisher, no-provenance pattern mirrors recent supply-chain attacks on axios, LiteLLM, and the Shai-Hulud worm, exposing a critical attack surface. The PostCSS ecosystem, including postcss, autoprefixer, and browserslist, is entirely behind this account, amplifying the risk of a compromised token.", "body_md": "The npm account `ai`\n\npublishes seven packages. Combined, they install 964 million times per week:\n\n| Package | Weekly downloads | Publishers | Risk |\n|---|---|---|---|\n| postcss | 245,612,332 | 1 | CRITICAL |\n| nanoid | 206,588,788 | 1 | CRITICAL |\n| caniuse-lite | 173,435,668 | 1 | CRITICAL |\n| browserslist | 167,746,012 | 1 | CRITICAL |\n| autoprefixer | 63,517,741 | 1 | CRITICAL |\n| postcss-nested | 54,486,292 | 1 | CRITICAL |\n| postcss-js | 52,771,544 | 1 | CRITICAL |\n\nThat's 50 billion installs per year behind a single set of npm credentials. None of them have npm provenance attestations.\n\nnpm provenance uses OIDC tokens from GitHub Actions instead of long-lived npm tokens. If a package has provenance, you can verify that the published code came from a specific commit in a specific repository — not from someone's compromised laptop.\n\nWithout provenance, there's no way to distinguish a legitimate release from one pushed by a stolen token. The blast radius here is nearly a billion installs per week.\n\nThis isn't theoretical. axios was attacked on March 30, 2026 through a stolen npm token — same single-publisher, no-provenance pattern. LiteLLM was hit the same way a month earlier. The Shai-Hulud worm in May 2026 exploited stolen tokens to republish 637 package versions in 39 minutes.\n\nPostCSS is interesting because it's not just one critical package. It's an entire ecosystem of critical packages, all behind the same account. chalk is one package, one publisher, 432M downloads/week. Bad enough. But `ai`\n\ncontrols seven independent packages that each cross the 10M threshold.\n\nA compromised `ai`\n\ntoken doesn't just hit postcss. It hits the CSS build pipeline (postcss + autoprefixer + postcss-nested + postcss-js), the browser compatibility layer (browserslist + caniuse-lite), and one of the most popular ID generators in the ecosystem (nanoid).\n\nAnd `caniuse-lite`\n\nwas flagged with a dormant publisher warning — 61 months of inactivity on the publishing account. postcss-nested hasn't had a release in over 12 months.\n\nfast-xml-parser (88M downloads/week, single publisher) had the same problem. After the community raised [the issue](https://github.com/NaturalIntelligence/fast-xml-parser/issues/814), the maintainer set up GitHub Actions OIDC publishing. Within days, version 5.9.1 shipped with SLSA provenance attestations. Then 5.9.2 added environment gates and SHA-pinned actions. The structural gap closed in under a week.\n\nI [filed an issue on PostCSS](https://github.com/postcss/postcss/issues/2096) yesterday proposing the same approach. The fix is a one-line change — add `provenance: true`\n\nto the npm publish step — and it requires zero stored secrets.\n\nIf you want to see which packages in your project have this concentration risk:\n\n```\nnpx proof-of-commitment\n```\n\nRun it in any project directory. It auto-detects your lockfile and flags packages where a single npm publisher controls more than 10M weekly downloads. That's the exact attack surface that's been exploited three times in four months.\n\nThe full PostCSS ecosystem audit data comes from [Commit](https://getcommit.dev), which scores packages on behavioral signals rather than declared metadata.", "url": "https://wpnews.pro/news/one-npm-account-publishes-964-million-downloads-per-week-none-have-provenance", "canonical_source": "https://dev.to/piiiico/one-npm-account-publishes-964-million-downloads-per-week-none-have-provenance-4e2k", "published_at": "2026-06-18 14:35:24+00:00", "updated_at": "2026-06-18 14:51:28.613913+00:00", "lang": "en", "topics": ["developer-tools", "ai-safety"], "entities": ["npm", "PostCSS", "axios", "LiteLLM", "Shai-Hulud worm", "GitHub Actions", "Commit", "fast-xml-parser"], "alternates": {"html": "https://wpnews.pro/news/one-npm-account-publishes-964-million-downloads-per-week-none-have-provenance", "markdown": "https://wpnews.pro/news/one-npm-account-publishes-964-million-downloads-per-week-none-have-provenance.md", "text": "https://wpnews.pro/news/one-npm-account-publishes-964-million-downloads-per-week-none-have-provenance.txt", "jsonld": "https://wpnews.pro/news/one-npm-account-publishes-964-million-downloads-per-week-none-have-provenance.jsonld"}}