Subj : Another npm supply-chain attack
To   : All
From : LWN.net
Date : Wed Sep 17 2025 06:40:08

The Socket.dev blog describes
this week's attack on JavaScript packages in the npm repository.

A malicious update to @ctrl/tinycolor (2.2M weekly
	downloads) was detected on npm as part of a broader supply chain
	attack that impacted more than 40 packages spanning multiple
	maintainers.

The compromised versions include a function
	(NpmModule.updatePackage) that downloads a package
	tarball, modifies package.json, injects a local script
	(bundle.js), repacks the archive, and republishes it,
	enabling automatic trojanization of downstream packages.

There is some more information in this
Krebs on Security article.

https://lwn.net/Articles/1038326/
--- SBBSecho 3.29-Linux
 * Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (86:200/23)

.