NPM users hit again: Advanced supply chain attack infiltrates over 40 packages
Just a week after a major NPM hack that targeted crypto users, cybersecurity researchers have detected another ongoing attack.
Researchers at Socket, a cybersecurity firm specializing in protection against supply chain attacks, and crypto security specialist Scam Sniffer both sounded alarms today, warning that the popular tinycolor NPM package has been compromised, affecting more than 40 packages spanning multiple maintainers.
"A lot of people were compromised. Look into everything that has a new version on NPM but not on GitHub releases. For now, just check if you have weird repos/branches that were created in the last 24 hours," Daniel Pereira, a senior backend software engineer at software developer Loka, said. Periera was the first to discover the attack.
According to Socket, the compromised versions of the package include a function that downloads a package tarball, modifies package.json, injects a local script, repacks the archive, and republishes it, enabling automatic trojanization of downstream packages.
"This is one of the more advanced attacks we’ve seen recently. It targets developers’ machines, CI/CD pipelines, and cloud infra," Feross Aboukhadijeh, the founder of the company, said.
He urged developers to uninstall or pin to safe versions, rotate exposed tokens, and audit their environments for suspicious publishes.
Socket says it's still analyzing the malicious payload and its distribution method.
"While Tinycolor is the most visible package, with 2.2 million weekly downloads on NPM, it did not originate these compromises, but is one package among dozens trojanized in this active campaign," they added.
Meanwhile, the previous major NPM attack flagged last week seems to have flopped, only netting around $1,100. The latest stolen crypto assets were sent to the attackers’ wallet a week ago, per Arkham Intelligence data.
Unlock more exclusive Cybernews content on YouTube.
