Another npm supply-chain attack
Date:
Tue, 16 Sep 2025 13:51:53 +0000
Description:
The Socket.dev blog describes
this week's attack on JavaScript packages in the npm repository. A malicious update to @ctrl/tinycolor (2.2M weekly
downloads) was detected on npm as part of a broader supply chain
attack that impacted more than 40 packages spanning multiple
maintainers. The compromised versions include a function
( NpmModule.updatePackage ) that downloads a package
tarball, modifies package.json , injects a local script
( bundle.js ), repacks the archive, and republishes it,
enabling automatic trojanization of downstream packages.
======================================================================
Link to news story:
https://lwn.net/Articles/1038326/
--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet UK HUB @ hub.uk.erb.pw (1337:1/100)