You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hono has 37 million weekly downloads and one npm publisher. That means one stolen credential — one phished session, one leaked PAT — can push a malicious version to every project that depends on it.
Same structural profile as:
axios — sole publisher, compromised March 2026
ua-parser-js — sole publisher, compromised October 2021
event-stream — sole maintainer, social-engineered 2018
None of them were badly maintained. The attack surface was credential concentration, not code quality.
hono has 35 GitHub contributors. It has one person who can npm publish. Adding even one additional trusted publisher eliminates the single-point-of-failure.
What this looks like in practice:
npm owner add <trusted-colleague> hono
Fastify has 3 publishers. Express has 5. Neither has been compromised via npm credential theft.
This is a structural observation, not a criticism — hono is clearly well-maintained. The publish-access concentration is the one dimension where it scores low.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Hono
Uh oh!
There was an error while loading. Please reload this page.
-
Hono has 37 million weekly downloads and one npm publisher. That means one stolen credential — one phished session, one leaked PAT — can push a malicious version to every project that depends on it.
Same structural profile as:
None of them were badly maintained. The attack surface was credential concentration, not code quality.
hono has 35 GitHub contributors. It has one person who can
npm publish. Adding even one additional trusted publisher eliminates the single-point-of-failure.What this looks like in practice:
Fastify has 3 publishers. Express has 5. Neither has been compromised via npm credential theft.
This is a structural observation, not a criticism — hono is clearly well-maintained. The publish-access concentration is the one dimension where it scores low.
Full data: getcommit.dev/npm/hono
Disclosure: I maintain proof-of-commitment, the tool that flagged this.
Beta Was this translation helpful? Give feedback.
All reactions