Popular NPM Package ‘ctrl/tinycolor’ with 2M Weekly Downloads and 40+ Others Compromised in Supply Chain Attack

The NPM ecosystem is under attack once again, with a sophisticated supply chain compromise targeting the widely-used @ctrl/tinycolor package and over 40 other JavaScript packages.

This latest incident represents a significant escalation in supply chain threats, featuring self-propagating malware that automatically spreads across the ecosystem.

Diagram showing how phishing emails with malicious URLs or HTML attachments lead to a JavaScript-based malware infection on a user’s device 

The malicious compromise was first discovered by security researcher @franky47, who promptly reported the issue through a GitHub alert.

The attack targeted @ctrl/tinycolor versions 4.1.1 and 4.1.2, packages that collectively receive over 2 million weekly downloads from developers worldwide.

What makes this incident particularly dangerous is the malware’s ability to automatically propagate to other packages maintained by the same authors or accessible through compromised credentials.

Socket.dev provided comprehensive technical analysis of the ...