Malicious Update to Popular NPM Package TinyColor Exposes Software Supply Chains

The Socket Research Team has uncovered a large-scale supply chain attack on the npm ecosystem, with more than 40 packages trojanized. Among them, the most notable is @ctrl/tinycolor, a library with over 2.2 million weekly downloads.

According to the researchers, “A malicious update to @ctrl/tinycolor (2.2M weekly downloads) was detected on npm as part of a broader supply chain attack that impacted more than 40 packages spanning multiple maintainers.”

The compromised versions of TinyColor and related packages introduced a rogue function named NpmModule.updatePackage. As Socket explains, this function “downloads a package tarball, modifies package.json, injects a local script (bundle.js), repacks the archive, and republishes it, enabling automatic trojanization of downstream packages.”

This mechanism allowed the attackers to poison new releases silently, creating a cascading effect across projects that depended on these packages.

The injected bundle.js script was highly sophisticated. It used TruffleHog, a legitimate secret scanner, to hunt for sensitive credentials. As the report states, “The bundle.js script downloads and executes TruffleHog, a legitimate secret scanner, then searches the host for tokens and cloud credentials. It validates and uses developer and CI credentials, creates a GitHub Actions workflow inside repositories, and exfiltrates results to a hardcoded webhook.”

Key targets included:

• GitHub tokens (GITHUB_TOKEN)
• npm tokens (NPM_TOKEN)
• AWS cloud credentials (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY)
• GCP metadata endpoints

Worse, the workflow dropped into victim repositories ensured persistence: “Once committed, any future CI run can trigger the exfiltration step from within the pipeline where sensitive secrets and artifacts are available by design.”

While TinyColor is the most prominent package, dozens of others were also compromised, including:

• angulartics2@14.1.2
• @ctrl/deluge@7.2.2
• @ctrl/qbittorrent@9.7.2
• koa2-swagger-ui@5.11.2
• @nativescript-community/ui-image@4.5.6
• ngx-toastr@19.0.2
• ts-gaussian@3.0.6

The breadth of affected packages demonstrates the scale and severity of the campaign, putting countless development environments and CI/CD pipelines at risk.

Related Posts:

• Malicious npm Packages Backdoor Telegram Bot Developers
• Python Developers Targeted in Massive Supply Chain Attack; Over 170,000 Users Affected
• Malicious npm Packages Exploiting Typosquatting to Inject SSH Backdoors
• North Korean Cyberattacks Persist: Developers Targeted via npm

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy