Popular Tinycolor npm Package Compromised in Supply Chain At... Malicious update to @ctrl/tinycolor on npm is part of a supply-chain attack hitting 40+ packages across maintainers

🚨 Malicious update to @ctrl/tinycolor on npm is part of an active supply chain attack hitting 40+ packages across multiple maintainers. Audit & remove affected versions.

Our analysis of the malware: socket.dev/blog/tinycol... #NodeJS #JavaScript

Honestly serious: JUST DON'T UPDATE PACKAGES RIGHT NOW.

It is unclear to me yet, but this is looking pretty wide spread. Better be safe than sorry, just go touch some grass.

scttcper - Packages - Socket Socket fights vulnerabilities and provides visibility, defense-in-depth, and proactive supply chain protection for JavaScript, Python, and Go dependencies.

Oh, and all of these. socket.dev/npm/user/sct...

farfromrefuge - Packages - Socket Socket fights vulnerabilities and provides visibility, defense-in-depth, and proactive supply chain protection for JavaScript, Python, and Go dependencies.

These are likely all compromised as well: socket.dev/npm/user/far...

Do not update to @ctrl/tinycolor@4.1.2. It has malware that is currently live on npm.

Thanks!

I'm excited to finally be on #bluesky. Now I need to curate my feeds.