NPM Malware Breach Hits ctrl/tinycolor, 40 Packages
A coordinated supply chain attack has compromised over 40 NPM packages, including the widely used @ctrl/tinycolor, which sees more than 2 million downloads weekly. This NPM Malware Breach Hits a critical point in the ecosystem, as attackers deployed a self-propagating worm to steal developer credentials and infect additional packages. The incident surfaced after suspicious GitHub activity prompted alerts from the open-source community.
Security researchers confirmed that the malware embedded itself using a function called NpmModule.updatePackage, enabling it to spread across repositories without human intervention. This NPM Malware Breach Hits developers hard by targeting sensitive credentials using a repurposed tool and deploying a malicious GitHub Actions workflow to ensure persistence. Analysts identified versions 4.1.1 and 4.1.2 of @ctrl/tinycolor as malicious. Experts urge developers to remove infected packages, rotate all exposed credentials, and audit their systems for the shai-hulud-workflow.yml file.
Read the full official article for complete mitigation steps and affected package details: