Massive NPM Supply Chain Breach – ctrl/tinycolor (2M weekly downloads) and 40+ Packages Infected

The NPM ecosystem is reeling from a sophisticated supply chain attack that compromised the widely used @ctrl/tinycolor package, which receives over 2 million weekly downloads, along with more than 40 other packages across multiple maintainers.

The attack represents a dangerous evolution in supply chain threats, featuring a self-propagating mechanism that automatically infects downstream packages and creates cascading compromises throughout the ecosystem.

The malicious versions 4.1.1 and 4.1.2 of @ctrl/tinycolor were published to NPM before being detected by community member @franky47, who reported the incident through a GitHub issue.

Socket.dev subsequently provided a detailed technical analysis revealing the attack’s sophisticated nature and far-reaching impact across the JavaScript package ecosystem.

Multi-Stage Attack Propagation

What distinguishes this attack is its advanced self-propagation engine that uses a function  NpmModule.updatePackage to spread to other packages without manual intervention.

The malware operates through a sophisticated multi-stage attack chain that begins with credential harvesting using a repurposed version of TruffleHog, a legitimate secrets scanning tool.

The attack targets explicitly NPM authentication tokens, GitHub personal access tokens, AWS access keys, Google Cloud Platform service credentials, Azure credentials, and cloud metadata endpoints.

All harvested credentials are exfiltrated to a remote webhook endpoint at webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7.

To maintain persistence, the malware creates a malicious GitHub Actions workflow file  .github/workflows/shai-hulud-workflow.yml that can be triggered to re-infect repositories or exfiltrate additional sensitive data from compromised environments.

Widespread Package Compromise

The attack affected numerous packages beyond @ctrl/tinycolor, including angular2 (14.1.2), multiple @ctrl/namespace packages such as @ctrl/deluge, @ctrl/golang-template, and @ctrl/magnet-link, as well as various @nativescript-community packages and popular libraries like ngx-color, ngx-toastr, and koa2-swagger-ui.

Security researchers have identified key indicators of compromise, including a malicious bundle.js file with a SHA-256 hash 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09, the suspicious NpmModule.updatePackage function calls, and the presence of the malicious workflow file.

Organizations using affected packages should immediately remove or downgrade to safe versions, rotate all NPM tokens, GitHub credentials, cloud service keys, and audit their infrastructure for unauthorized modifications.

The compromised packages have been removed from NPM; however, the incident underscores the critical need for enhanced supply chain security measures, including package cooldown periods and runtime monitoring solutions.

This attack demonstrates the evolving sophistication of supply chain threats. It underscores the importance of implementing comprehensive security controls to protect against automated propagation mechanisms that can rapidly compromise entire dependency ecosystems.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Massive NPM Supply Chain Breach – ctrl/tinycolor (2M weekly downloads) and 40+ Packages Infected appeared first on Cyber Security News.