[Posted September 16, 2025 by corbet]
The Socket.dev blog describes this week's attack on JavaScript packages in the npm repository.
A malicious update to @ctrl/tinycolor (2.2M weekly downloads) was detected on npm as part of a broader supply chain attack that impacted more than 40 packages spanning multiple maintainers.The compromised versions include a function (NpmModule.updatePackage) that downloads a package tarball, modifies package.json, injects a local script (bundle.js), repacks the archive, and republishes it, enabling automatic trojanization of downstream packages.
There is some more information in this
Krebs on Security article.
