Open source supply chain risk index
Composite risk ranking of 200 open source projects by ecosystem importance, supply chain risk, downstream reach, and structural context. 585,601 projects scored.
Three findings from the data
npm's most-depended-on packages average a security posture of 4.3/10. A cryptography library with 173,000 dependents scores 1.6/10. And 38 of the top 200 have never been assessed for security.
What to do with this
Check your lockfiles against this index. Audit your CI actions (15 CI/CD tools appear in the top 200). Flag dependencies with no security assessment. Review your cryptography dependencies -- 10 crypto libraries average 4.4/10.
[MARCH 2026]
A composite ranking of the 200 highest-risk open source projects, scored by ecosystem importance, security posture, downstream reach, and structural context. This is a screening tool, not a threat prediction model.
Contact tobias@xor.tech for the full dataset.
Read this before the rankings
- C/C++ projects have no tracked dependents. The Linux kernel has a reach score of 0 despite running on billions of devices. Reach data comes from package registries and platform APIs.
- Structural context uses curated project lists. A new CI action or scanner not on the list gets structural=0. The lists require manual updates.
- Unassessed projects receive a default supply chain risk of 8/10. Some may have good practices that have not been measured. 38 of the top 200 are unassessed.
- Platform download counts may overcount CI-driven installs. A project with high PyPI monthly downloads may be inflated by automated
pip installin every CI build. - The security posture aggregate includes 5 checks not shown in the per-column breakdowns. Reproduced scores may differ from the displayed aggregate by up to 0.5 points.
- This index measures structural risk from public metadata. It identifies which projects deserve closer inspection. It cannot predict the next compromise.
Three findings
The npm ecosystem's most-depended-on packages have weak security practices
Babel compiles every modern JavaScript application and has 12.7 million downstream dependents. Next.js has 9.7 million. React has 3.3 million. esbuild has 1.3 million. All four are in the top 25 of this index.
Among the 20 projects with the most dependents, the 19 that have been assessed average a security posture of 4.3/10. safe-buffer (2.1M dependents) scores 2.5. inherits (2.3M dependents) scores 3.6. xtuc/webassemblyjs (1.6M dependents) scores 1.7.
These are not obscure packages. They are the transitive foundation of most JavaScript applications. Your lockfile almost certainly includes several of them.
Your JavaScript applications inherit these dependencies transitively. Run npm ls --all against this index and check what you are shipping.
A cryptography library with 173,000 dependents scores 1.6/10 on security
indutny/elliptic handles ECDSA for 173,000+ downstream npm packages. It ranks #1 in this index with a composite score of 7.52.
Its security posture is 1.6/10. Code review: 1/10. Branch protection: 0. SAST: 0. Fuzzing: 0. Security policy: 0. Not maintained in the last 90 days.
It is not alone. The index contains 10 cryptography libraries. Their average security posture is 4.4/10 across the 9 that have been assessed. tweetnacl-js (386K dependents) scores 2.5. crypto-js (53K dependents) scores 2.2. crypto-browserify (83K dependents) has never been assessed.
These are maintained by individuals and small teams, often without funding. Low scores reflect a lack of tooling adoption and organizational support, not a lack of care. The structural risk is real regardless of the reason.
If elliptic were compromised, signature verification across 173,000+ npm packages would break. Check whether your applications depend on it and what alternatives exist.
38 of the top 200 have never been assessed for security
These projects receive a default supply chain risk of 8/10 because no security data exists for them. That is a penalty, not a measurement. The real problem is that nobody has looked.
Among the unassessed: crypto-browserify (83K dependents, rank #9), setuptools-scm (rank #15), jest (696K dependents, rank #31), smithy-typescript (1.7M dependents, rank #34), codeql-action (rank #51), runner-images (rank #61). Some may have strong practices. We do not know.
The assessed projects in the top 200 average a security posture of 3.7/10. The top 25 assessed projects average 4.6/10. Even measured projects score below the midpoint.
You cannot defend what you have not measured. If your supply chain policy requires a security assessment, check whether your dependencies have one.
Methodology
composite = 0.30 x importance + 0.25 x supply_chain_risk + 0.25 x reach + 0.20 x structural
30%
Importance
Ecosystem importance: downstream dependencies, contributors, commit frequency, org diversity. Normalized 0-10.
25%
Supply chain risk
Inverted security posture (10 minus score). Unassessed projects get 8, not 10. Based on 14 security checks.
25%
Reach
log10(dependent_count) x 1.43. Babel (12.7M deps) = 10. A library with 100 deps = 2.9. Falls back to PyPI downloads, Docker Hub pulls, or GitHub workflow references when registries have no data.
20%
Structural context
Project type by verified lists: CI action (10), package manager (9), security scanner (9), build tool (8), cryptography (8), infrastructure (8), ML/AI framework (7), database (6), framework (6), general (0).
Weights sum to 1.0. Composite scores range from 0 to 10. Observed range in the top 200: 5.46 to 7.52.
Full data: Google Sheet (200 rows, all checks).
Top 25
| # | Repository | Composite | Importance | SC risk | Reach | Structural | Posture |
|---|---|---|---|---|---|---|---|
| 1 | indutny/elliptic | 7.52 | 6.5 | 8.4 | 7.5 | 8 | 1.6 |
| 2 | dchest/tweetnacl-js | 7.30 | 6.1 | 7.5 | 8.0 | 8 | 2.5 |
| 3 | postcss/postcss | 7.28 | 7.3 | 5.4 | 8.6 | 8 | 4.6 |
| 4 | evanw/esbuild | 7.28 | 6.9 | 5.7 | 8.8 | 8 | 4.3 |
| 5 | parcel-bundler/parcel | 7.26 | 6.8 | 7.2 | 7.3 | 8 | 2.8 |
| 6 | rollup/rollup | 7.15 | 7.5 | 5.1 | 8.2 | 8 | 4.9 |
| 7 | pypa/setuptools | 7.14 | 7.1 | 5.3 | 6.7 | 10 | 4.7 |
| 8 | babel/babel | 7.13 | 7.8 | 2.8 | 10.0 | 8 | 7.2 |
| 9 | browserify/crypto-browserify | 7.12 | 5.9 | 8.0 | 7.0 | 8 | N/A |
| 10 | vercel/next.js | 7.09 | 7.9 | 4.1 | 10.0 | 6 | 5.9 |
| 11 | swc-project/swc | 7.08 | 7.2 | 4.8 | 8.4 | 8 | 5.2 |
| 12 | brix/crypto-js | 7.01 | 5.9 | 7.8 | 6.8 | 8 | 2.2 |
| 13 | vuejs/vue | 6.89 | 7.1 | 7.0 | 7.3 | 6 | 3.0 |
| 14 | webpack/webpack | 6.86 | 7.5 | 4.7 | 7.3 | 8 | 5.3 |
| 15 | pypa/setuptools-scm | 6.81 | 5.7 | 8.0 | 4.5 | 10 | N/A |
| 16 | aws/aws-sdk-js-crypto-helpers | 6.74 | 5.9 | 4.8 | 8.6 | 8 | 5.2 |
| 17 | facebook/react | 6.72 | 7.7 | 3.6 | 9.3 | 6 | 6.4 |
| 18 | neo4j/neo4j | 6.68 | 6.9 | 7.2 | 6.5 | 6 | 2.8 |
| 19 | vuejs/core | 6.67 | 7.3 | 4.4 | 8.7 | 6 | 5.6 |
| 20 | pypa/wheel | 6.59 | 6.2 | 4.7 | 6.3 | 10 | 5.3 |
| 21 | prowler-cloud/prowler | 6.57 | 5.5 | 8.0 | 4.5 | 9 | N/A |
| 22 | yarnpkg/yarn | 6.56 | 6.3 | 5.8 | 5.7 | 9 | 4.2 |
| 23 | changesets/changesets | 6.55 | 6.5 | 3.8 | 6.6 | 10 | 6.2 |
| 24 | npm/cli | 6.53 | 7.2 | 3.2 | 7.1 | 9 | 6.8 |
| 25 | pypa/pip | 6.51 | 6.5 | 4.8 | 5.4 | 10 | 5.2 |
Color: red = composite above 7.0, orange = 6.0-7.0. N/A = no security assessment on record. Full 200-row dataset in the Google Sheet.
Recent supply chain targets in this index
Three projects involved in recent supply chain incidents appear in the top 55. All three now have security assessments on record.
| # | Repository | Composite | Reach source | Posture |
|---|---|---|---|---|
| 35 | aquasecurity/trivy | 6.17 | 4.5M Docker pulls/mo | 6.4 |
| 36 | ultralytics/yolov5 | 6.16 | 8.2M PyPI downloads/mo | 4.8 |
| 52 | tj-actions/changed-files | 5.84 | 266K workflow refs/mo | 6.1 |
What to do with this
Check your lockfiles
Extract GitHub URLs from package-lock.json, go.sum, Cargo.lock, or pom.xml and cross-reference them against this index. Most organizations have no idea which of these 200 projects are in their dependency tree.
Audit your CI actions
List every action in your .github/workflows/ files. 15 CI/CD-related tools appear in the top 200, including setuptools (#7), pip (#25), and codeql-action (#51). Pin versions by commit SHA, not tag.
Flag unassessed dependencies
If a dependency has never been assessed, that is a finding. 38 of the top 200 have no assessment. If your policy requires a minimum security posture, verify the data exists before assuming compliance.
Review your cryptography dependencies
10 cryptography libraries appear in the top 200. Their average security posture is 4.4/10. elliptic (1.6/10, 173K dependents), crypto-js (2.2/10, 53K dependents), and tweetnacl-js (2.5/10, 386K dependents) are the three weakest. Check whether your signature verification or encryption code depends on them.
Contact tobias@xor.tech for integration with your dependency scanning pipeline.
[RELATED]
More context
Data generated 2026-03-23. Ecosystem importance: biweekly (585K projects). Security posture: weekly (~1.3M checks). Reach: biweekly (registry + platform API data).
FAQ
What is the OSS supply chain risk index?
A composite ranking of the 200 highest-risk open source projects, scored across four dimensions: ecosystem importance (30%), supply chain risk (25%), downstream reach (25%), and structural context (20%). Data covers 585,601 projects.
How is the composite score calculated?
composite = 0.30 x importance + 0.25 x supply_chain_risk + 0.25 x reach + 0.20 x structural. Scores range from 0 to 10. The observed range in the top 200 is 5.46 to 7.52.
Why does indutny/elliptic rank number 1?
elliptic handles ECDSA for 173,000+ npm packages with a security posture of 1.6/10. Code review: 1/10. Branch protection: 0. SAST: 0. Fuzzing: 0. It scores 7.52 composite.
What are the limitations of this index?
C/C++ projects have no tracked dependents (reach=0). Structural context uses curated project lists. 38 of the top 200 are unassessed and receive a default risk of 8/10. The index measures structural risk from public metadata, not threat predictions.
Agentic Third-Party Risk
33% of enterprise software will be agentic by 2028. 40% of those projects will be canceled due to governance failures. A risk overview for CTOs.
MCP Server Security
17 attack types across 4 surfaces. 7.2% of 1,899 open-source MCP servers contain vulnerabilities. Technical deep-dive with defense controls.
OWASP Top 10 for Agentic Applications
The OWASP Agentic Top 10 mapped to real-world attack data and XOR capabilities. A reference page for security teams.
How Verification Works
Test agents on real vulnerabilities before shipping fixes.
Automated Vulnerability Patching
AI agents generate fixes for known CVEs. XOR verifies each fix against the vulnerability before it ships.
Benchmark Results
62.7% pass rate. $2.64 per fix. Real data from 1,920 evaluations.
See which agents produce fixes that work
128 CVEs. 15 agents. 1,920 evaluations. Agents learn from every run.