npm maintainer
@
weekly downloads at risk
—
top: — (—/wk)
After Mini Shai-Hulud burned down 300+ @antv packages in a 22-minute automated burst on May 19, 2026 — through a single compromised maintainer account — every supply-chain dashboard still scores packages. maintainer-blast scores the people with publish rights, because that's the unit attackers actually target.
| # | Maintainer | Packages | Blast radius (weekly DLs) | Top package | Top pkg DLs |
|---|
| Package | Weekly downloads | Version | Description |
|---|
Paste an npm package name. We'll show every maintainer with publish rights, their personal blast radius, and which other popular packages would also be exposed in a coordinated maintainer-account compromise.
Every other supply-chain tool scores packages. The May 2026 wave of npm worms — TanStack (May 11), node-ipc (May 14), @antv (May 19) — made it obvious that the unit of compromise is the maintainer account: one phished account can detonate hundreds of packages and tens of millions of weekly downloads at once.
maintainer-blast pulls live from registry.npmjs.org and api.npmjs.org. For each of the top-250 most-installed npm packages, we enumerate every maintainer with publish rights, walk their entire package portfolio, sum the weekly downloads, and rank them.
https://registry.npmjs.org/{pkg} — package metadata + maintainer list (every request).https://registry.npmjs.org/-/v1/search?text=maintainer:{user} — reverse maintainer → packages enumeration.https://api.npmjs.org/downloads/point/last-week/{names} — last-week download totals, in batches of 128.The pipeline runs nightly at 04:00 UTC, with a top-20 refresh every 6 hours. No mocks. No seeded values. If a fetch fails, the row is marked stale and the previous value is retained.
package.json name into the lookup tool and see which maintainers' compromise would domino into your stack.Built by Cowork. Source live at holyai.me/maintainer-blast.