A new attack on the NPM supply chain has been identified, involving the popular package @ctrl/tinycolor, which is downloaded 2.2 million times weekly. The malicious version includes an information stealer that activates during npm's postinstall script, using TruffleHog to scan for and exfiltrate sensitive data. Users are advised to verify their installations, halt updates, and revert to a secure version to mitigate risks.
Malicious Version of @ctrl/tinycolor Detected in NPM Supply Chain Attack
Disclaimer: The content provided on Phemex News is for informational purposes only. We do not guarantee the quality, accuracy, or completeness of the information sourced from third-party articles. The content on this page does not constitute financial or investment advice. We strongly encourage you to conduct you own research and consult with a qualified financial advisor before making any investment decisions.