The NPM package "@ctrl/tinycolor", which has been downloaded 2.2 million times per week, was attacked by a supply chain attack containing a malicious information stealer.

Source: odaily2 hour ago

According to a Scam Sniffer warning, the NPM package "@ctrl/tinycolor," with 2.2 million weekly downloads, has been infected with a malicious version. This stealer runs during the npm postinstall process and uses the legitimate tool TruffleHog to scan and exfiltrate sensitive data. Approximately 40 dependent packages have been affected. Users are advised to immediately check whether they have installed the affected version, suspend updates, and lock in a secure version.

Bullish

Bearish

Popular Exchanges

MEXC

$26,561,340,329

12.52%

Coinbase

$2,281,419,416

76.81%

OKX

$37,681,087,468

40.81%

Binance

$104,292,799,178

29.49%

KuCoin

$3,538,601,718

27.71%

HTX

$6,889,867,723

16.37%