Massive Supply Chain Attack Hijacks ctrl/tinycolor With 2 Million Downloads and Other 40 NPM Packages
@ctrl/tinycolor package, which is downloaded over 2 million times per week. The attack also affected more than 40 other packages from various maintainers, introducing a dangerous self-propagating malware designed to steal developer credentials and spread itself across the software landscape.
The incident came to light after users discovered suspicious activity on GitHub and promptly alerted the open-source community.
The malicious versions, identified as 4.1.1 and 4.1.2 of @ctrl/tinycolor, were quickly removed from the NPM registry, but not before they were distributed.
Security analysts from StepSecurity later provided a detailed technical breakdown of the attack, confirming its severity and unique propagation method.
What sets this attack apart is its automated, worm-like behavior. The malware contains a “self-propagation engine” that actively seeks out and infects other software packages.
Once a developer’s machine is compromised, the malware uses a function named NpmModule.updatePackage to inject its malicious code into other projects maintained by the same author.
This creates a cascading effect, allowing the threat to spread rapidly through the interconnected web of software dependencies without further manual intervention from the attackers.
The primary goal of the malware is aggressive credential harvesting. The attackers repurposed a legitimate secret-scanning tool, TruffleHog, to hunt for sensitive information on compromised systems. It specifically targets a wide range of valuable developer secrets, including:
To ensure its persistence, the malware creates a malicious GitHub Actions workflow file named .github/workflows/shai-hulud-workflow.yml.
This file allows the attackers to maintain access to compromised repositories, potentially re-infecting them or exfiltrating more data over time. All stolen data was funneled to a publicly exposed endpoint on the webhook.site service.
In response to this critical threat, security experts are urging developers and organizations to take immediate action.
The first step is to check all projects for the presence of the compromised packages and their malicious versions. If found, they should be removed or downgraded to a safe version immediately.
Given the malware’s extensive credential-stealing capabilities, rotating all potentially exposed secrets is crucial. This includes NPM tokens, GitHub access tokens, and all cloud provider credentials (AWS, Azure, GCP) that may have been present on development or CI/CD systems.
Finally, a thorough audit of infrastructure is recommended. Developers should scan their repositories for the malicious shai-hulud-workflow.yml file, review recent NPM publishing activity for any unauthorized package releases, and monitor outbound network traffic for any connections to the known exfiltration endpoint.
Based on the information provided, here is a list of the compromised packages and their affected versions.
| Affected Package | Malicious Version(s) |
|---|---|
| @ctrl/tinycolor | 4.1.1, 4.1.2 |
| @ctrl/deluge | 7.2.2 |
| angulartics2 | 14.1.2 |
| @ctrl/golang-template | 1.4.3 |
| @ctrl/magnet-link | 4.0.4 |
| @ctrl/ngx-codemirror | 7.0.2 |
| @ctrl/ngx-csv | 6.0.2 |
| @ctrl/ngx-emoji-mart | 9.2.2 |
| @ctrl/ngx-rightclick | 4.0.2 |
| @ctrl/qbittorrent | 9.7.2 |
| @ctrl/react-adsense | 2.0.2 |
| @ctrl/shared-torrent | 6.3.2 |
| @ctrl/torrent-file | 4.1.2 |
| @ctrl/transmission | 7.3.1 |
| @ctrl/ts-base32 | 4.0.2 |
| encounter-playground | 0.0.5 |
| json-rules-engine-simplified | 0.2.4 |
| @nativescript-community/gesturehandler | 2.0.35 |
| @nativescript-community/sentry | 4.6.43 |
| @nativescript-community/text | 1.6.13 |
| @nativescript-community/ui-collectionview | 6.0.6 |
| @nativescript-community/ui-drawer | 0.1.30 |
| @nativescript-community/ui-image | 4.5.6 |
| @nativescript-community/ui-material-bottomsheet | 7.2.72 |
| @nativescript-community/ui-material-core | 7.2.76 |
| @nativescript-community/ui-material-core-tabs | 7.2.76 |
| ngx-color | 10.0.2 |
| ngx-toastr | 1.9.0.2 |
| ngx-trend | 8.0.1 |
| react-complaint-image | 0.0.35 |
| react-jsonschema-form-conditionals | 0.3.21 |
| react-jsonschema-form-extras | 1.0.4 |
| rxnt-authentication | 0.0.6 |
| rxnt-healthchecks-nestjs | 1.0.5 |
| rxnt-kue | 1.0.7 |
| swc-plugin-component-annotate | 1.9.2 |
| ts-gaussian | 3.0.6 |
Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free
The post Massive Supply Chain Attack Hijacks ctrl/tinycolor With 2 Million Downloads and Other 40 NPM Packages appeared first on Cyber Security News.
INDIANAPOLIS (WOWO) — The Indiana Criminal Justice Institute (ICJI) is teaming up with Indiana State…
FORT WAYNE, Ind. (WOWO) — Families of children with physical and mental disabilities often face…
The sequel to Stellar Blade will not be published by PlayStation, developer Shift Up has…
Michael Pennington — better known to Star Wars fans as Return of the Jedi's Moff…
50 Years Ago An early morning trash fire that may have been set by four…
Editor’s note: This is the second of two parts. “In happy moments one realizes that…
This website uses cookies.