|
|
Subscribe / Log in / New account

Another npm supply-chain attack

[Posted September 16, 2025 by corbet]

The Socket.dev blog describes this week's attack on JavaScript packages in the npm repository.

A malicious update to @ctrl/tinycolor (2.2M weekly downloads) was detected on npm as part of a broader supply chain attack that impacted more than 40 packages spanning multiple maintainers.

The compromised versions include a function (NpmModule.updatePackage) that downloads a package tarball, modifies package.json, injects a local script (bundle.js), repacks the archive, and republishes it, enabling automatic trojanization of downstream packages.

There is some more information in this Krebs on Security article.

to post comments

Predicted earlier

Posted Sep 16, 2025 18:53 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

Aww... Somebody is left-padding their coffers: https://david-gilbertson.medium.com/im-harvesting-credit-...


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds