NPM Ecosystem
Network Analysis
Cyber Security
NPM Supply Chain Risk Analysis
This project maps structural risks and critical dependencies in the NPM package ecosystem using topological network analysis methods. The dashboard below contains all analysis charts and raw datasets.
Network Statistics
1,529
Nodes (Packages)
3,133
Edges (Dependencies)
2.05
Average Degree
0.001341
Network Density
1. Network Structure and Topology
π Full Network Structure (Top 1000 + Dependencies)
π Degree Distributions (Log-Log)
2. Risk and Criticality Analysis
β οΈ Top 20 Composite Risk Score (BRS)
π Cascade Impact (Robustness)
π¨ Top 20 Critical Packages (Risk Score)
| Package | Risk Score | In-Degree | Betweenness |
|---|---|---|---|
| es-abstract | 0.4818 | 0.0111 | 0.0017 |
| @babel/helper-plugin-utils | 0.4030 | 0.0720 | 0.0000 |
| @babel/preset-env | 0.4029 | 0.0020 | 0.0000 |
| postcss-preset-env | 0.3198 | 0.0007 | 0.0000 |
| @babel/types | 0.2917 | 0.0209 | 0.0001 |
| @babel/traverse | 0.2837 | 0.0131 | 0.0001 |
| send | 0.2609 | 0.0013 | 0.0000 |
| @babel/core | 0.2594 | 0.0079 | 0.0001 |
| browserslist | 0.2562 | 0.0105 | 0.0002 |
| supports-color | 0.2545 | 0.0013 | 0.0000 |
| resolve | 0.2534 | 0.0046 | 0.0000 |
| fill-range | 0.2524 | 0.0007 | 0.0001 |
| jest-snapshot | 0.2423 | 0.0039 | 0.0004 |
| postcss-value-parser | 0.2409 | 0.0255 | 0.0000 |
| to-regex-range | 0.2405 | 0.0007 | 0.0000 |
| fs.realpath | 0.2399 | 0.0000 | 0.0000 |
| finalhandler | 0.2382 | 0.0007 | 0.0000 |
| @jest/types | 0.2373 | 0.0170 | 0.0002 |
| yargs | 0.2359 | 0.0007 | 0.0000 |
| get-intrinsic | 0.2354 | 0.0144 | 0.0003 |
π₯ Top 20 Cascade Impact (Network Damage)
| Package | Cascade Impact | Risk Score |
|---|---|---|
| workbox-build | 20.0000 | 0.1972 |
| react-scripts | 16.0000 | 0.2334 |
| postcss-preset-env | 14.0000 | 0.3198 |
| regexpu-core | 8.0000 | 0.2061 |
| eslint | 8.0000 | 0.1917 |
| @babel/types | 7.0000 | 0.2917 |
| @babel/helper-plugin-utils | 7.0000 | 0.4030 |
| cssnano-preset-default | 6.0000 | 0.2142 |
| source-map-resolve | 6.0000 | 0.1925 |
| webpack-dev-server | 5.0000 | 0.2304 |
| sax | 5.0000 | 0.1938 |
| browserslist | 4.0000 | 0.2562 |
| yargs | 4.0000 | 0.2359 |
| extglob | 3.0000 | 0.1994 |
| snapdragon | 3.0000 | 0.2077 |
| @jest/types | 3.0000 | 0.2373 |
| jest-snapshot | 3.0000 | 0.2423 |
| fill-range | 3.0000 | 0.2524 |
| resolve | 3.0000 | 0.2534 |
| postcss | 3.0000 | 0.1902 |
3. Centrality Metrics
π Metric Correlations
π Top 20 Most Depended-upon Packages (In-Degree)
| Package | In-Degree | Out-Degree | Risk Score |
|---|---|---|---|
| @babel/helper-plugin-utils | 0.0720 | 0.0000 | 0.4030 |
| call-bound | 0.0268 | 0.0013 | 0.1153 |
| postcss-value-parser | 0.0255 | 0.0000 | 0.2409 |
| call-bind | 0.0236 | 0.0026 | 0.1835 |
| @types/node | 0.0223 | 0.0007 | 0.1336 |
| debug | 0.0223 | 0.0007 | 0.1468 |
| es-errors | 0.0216 | 0.0000 | 0.0750 |
| @babel/types | 0.0209 | 0.0013 | 0.2917 |
| define-properties | 0.0190 | 0.0020 | 0.0923 |
| chalk | 0.0183 | 0.0000 | 0.1196 |
| @csstools/css-tokenizer | 0.0183 | 0.0000 | 0.0641 |
| @csstools/css-parser-algorithms | 0.0177 | 0.0000 | 0.0618 |
| @jest/types | 0.0170 | 0.0046 | 0.2373 |
| @csstools/utilities | 0.0151 | 0.0000 | 0.0523 |
| jest-util | 0.0144 | 0.0039 | 0.1726 |
| get-intrinsic | 0.0144 | 0.0065 | 0.2354 |
| postcss-selector-parser | 0.0137 | 0.0013 | 0.1894 |
| graceful-fs | 0.0137 | 0.0000 | 0.0980 |
| es-object-atoms | 0.0131 | 0.0007 | 0.0507 |
| @babel/traverse | 0.0131 | 0.0046 | 0.2837 |
π¦ Top 20 Most Dependent Packages (Out-Degree)
| Package | Out-Degree | In-Degree | Risk Score |
|---|---|---|---|
| @babel/preset-env | 0.0458 | 0.0020 | 0.4029 |
| postcss-preset-env | 0.0452 | 0.0007 | 0.3198 |
| es-abstract | 0.0353 | 0.0111 | 0.4818 |
| react-scripts | 0.0314 | 0.0000 | 0.2334 |
| workbox-build | 0.0242 | 0.0007 | 0.1972 |
| eslint | 0.0223 | 0.0007 | 0.1917 |
| cssnano-preset-default | 0.0196 | 0.0007 | 0.2142 |
| express | 0.0183 | 0.0007 | 0.1827 |
| webpack-dev-server | 0.0183 | 0.0007 | 0.2304 |
| @jest/core | 0.0183 | 0.0013 | 0.2171 |
| webpack | 0.0164 | 0.0007 | 0.0917 |
| jest-config | 0.0157 | 0.0013 | 0.1792 |
| react-dev-utils | 0.0157 | 0.0007 | 0.1546 |
| @jest/reporters | 0.0151 | 0.0007 | 0.1970 |
| jest-runner | 0.0144 | 0.0013 | 0.1691 |
| jest-runtime | 0.0144 | 0.0026 | 0.2197 |
| jest-snapshot | 0.0137 | 0.0039 | 0.2423 |
| jsdom | 0.0131 | 0.0007 | 0.1787 |
| jest-circus | 0.0131 | 0.0007 | 0.1273 |
| eslint-plugin-import | 0.0124 | 0.0007 | 0.1179 |
π Top 20 Bridges (Betweenness Centrality)
| Package | Betweenness | In-Degree | Risk Score |
|---|---|---|---|
| es-abstract | 0.0017 | 0.0111 | 0.4818 |
| jest-snapshot | 0.0004 | 0.0039 | 0.2423 |
| which-builtin-type | 0.0004 | 0.0007 | 0.1190 |
| call-bind | 0.0003 | 0.0236 | 0.1835 |
| get-intrinsic | 0.0003 | 0.0144 | 0.2354 |
| jest-runtime | 0.0003 | 0.0026 | 0.2197 |
| array-includes | 0.0003 | 0.0026 | 0.1534 |
| jsdom | 0.0003 | 0.0007 | 0.1787 |
| jest-message-util | 0.0003 | 0.0065 | 0.1878 |
| reflect.getprototypeof | 0.0003 | 0.0013 | 0.0877 |
| array.prototype.flat | 0.0002 | 0.0013 | 0.1205 |
| jest-watcher | 0.0002 | 0.0020 | 0.1538 |
| @jest/types | 0.0002 | 0.0170 | 0.2373 |
| side-channel | 0.0002 | 0.0026 | 0.1572 |
| browserslist | 0.0002 | 0.0105 | 0.2562 |
| typed-array-length | 0.0002 | 0.0007 | 0.0754 |
| object.assign | 0.0002 | 0.0026 | 0.1174 |
| typed-array-byte-offset | 0.0002 | 0.0007 | 0.0677 |
| @jest/fake-timers | 0.0002 | 0.0026 | 0.1683 |
| @babel/core | 0.0001 | 0.0079 | 0.2594 |
π Top 20 Ecosystem Critical (Dependents Count)
| Package | Dependents Count | In-Degree | Risk Score |
|---|---|---|---|
| supports-color | 5,765,200 | 0.0013 | 0.2545 |
| fs.realpath | 5,532,257 | 0.0000 | 0.2399 |
| fill-range | 5,461,792 | 0.0007 | 0.2524 |
| to-regex-range | 5,300,496 | 0.0007 | 0.2405 |
| fsevents | 5,289,351 | 0.0007 | 0.2316 |
| resolve | 5,229,428 | 0.0046 | 0.2534 |
| statuses | 5,106,018 | 0.0026 | 0.2305 |
| setprototypeof | 5,068,682 | 0.0007 | 0.2221 |
| unpipe | 5,053,604 | 0.0007 | 0.2214 |
| fresh | 5,019,855 | 0.0013 | 0.2222 |
| send | 4,993,661 | 0.0013 | 0.2609 |
| serve-static | 4,975,561 | 0.0007 | 0.2323 |
| fast-deep-equal | 4,968,905 | 0.0026 | 0.2246 |
| fast-json-stable-stringify | 4,957,551 | 0.0020 | 0.2218 |
| utils-merge | 4,948,638 | 0.0000 | 0.2146 |
| finalhandler | 4,946,523 | 0.0007 | 0.2382 |
| readdirp | 4,905,460 | 0.0007 | 0.2150 |
| yargs | 4,893,685 | 0.0007 | 0.2359 |
| camelcase | 4,809,686 | 0.0033 | 0.2199 |
| uri-js | 4,745,435 | 0.0000 | 0.2094 |
Datasets and Reports
The table below lists all data files produced as a result of the analysis.
| File Name | Description | Format | Download |
|---|---|---|---|
| risk_scores.csv | Composite Risk Scores (BRS) and ranking of all packages. | CSV | Download |
| impact_scores.csv | Cascade impact simulation results. | CSV | Download |
| gephi_nodes.csv | Node list for Gephi. | CSV | Download |
| gephi_edges.csv | Edge list for Gephi. | CSV | Download |
| package_risk_scores.csv | Simplified list of packages and their risk scores. | CSV | Download |
| Readme.md | Full analysis report in Markdown format. | Markdown | Download |
Documentation & Research
π Literature Review
A comprehensive review of academic studies on NPM ecosystem security, threat taxonomies, and network analysis.
- Threat Taxonomies (Backstabberβs Knife Collection)
- NPM Network Topology (Small-world, Scale-free)
- Dependency Resolution & Propagation
- Detection Pipelines (Amalfi, Cerebro, OSCAR)
π¬ Methodology
Details on how the NPM supply chain network is modeled and the Composite Risk Score (CRS) calculation.
- Data Collection (Top 1000 packages)
- Centrality Metrics (In-Degree, Out-Degree, Betweenness)
- Composite Risk Score Formula
- Robustness & Cascade Analysis
π‘οΈ Security Landscape
An overview of active threats and attack vectors in the NPM ecosystem.
- Shrinkwrapped Clones
- Typosquatting
- Dependency Confusion
- Account Takeover & Worms
π Case Study: Shai-Hulud
A deep dive into the "Shai-Hulud" wormable malware attack that targeted the NPM ecosystem in 2025.
- First Wave: Reconnaissance
- Second Wave: Autonomous Worm
- Comparative Technical Analysis
- Topological Risk Implications