๐ NPM Supply Chain Attack Detected: Malicious Version of Popular Package Released
#NPM #SupplyChainAttack #tinycolor #TruffleHog #MaliciousPackage #PostInstall #InformationStealing #SecurityAlert #LockVersion #Update #SafeVersion
According to PANews, a new attack targeting the NPM supply chain has been detected by Scam Sniffer. The package @ctrl/tinycolor, which has a weekly download rate of 2.2 million, released a malicious version. This version executes an information-stealing program during the post-installation script of npm, aiming to scan and steal sensitive data. The malicious payload exploits the legitimate sensitive information scanning tool, TruffleHog. Users are advised to check if they have downloaded the affected version, halt installation or update operations, and lock the version to a known safe one.#NPM #SupplyChainAttack #tinycolor #TruffleHog #MaliciousPackage #PostInstall #InformationStealing #SecurityAlert #LockVersion #Update #SafeVersion
๐ HashDit Alerts on NPM Supply Chain Attack Involving Malicious Package
#HashDit #NPM #SupplyChainAttack #MaliciousPackage #CtrlTinycolor #Web3Security #DependencyManagement #SecurityAlert
The Web3 security firm HashDit stated on X, โAnother NPM supply chain attack involving the package '@ctrl/tinycolor' has been identified, with malicious versions being distributed.โ The package, which receives 2.2 million weekly downloads, has been compromised to execute unauthorized scripts. Users are advised to review their dependencies and ensure they are using secure versions to prevent potential security breaches.#HashDit #NPM #SupplyChainAttack #MaliciousPackage #CtrlTinycolor #Web3Security #DependencyManagement #SecurityAlert