MacMusic  |  PcMusic  |  440 Software  |  440 Forums  |  440TV  |  Zicos
npm
Search

Another npm supply-chain attack

Tuesday September 16, 2025. 03:51 PM , from LWN.net
The Socket.dev blog describes
this week's attack on JavaScript packages in the npm repository.

A malicious update to @ctrl/tinycolor (2.2M weekly
downloads) was detected on npm as part of a broader supply chain
attack that impacted more than 40 packages spanning multiple
maintainers.

The compromised versions include a function
(NpmModule.updatePackage) that downloads a package
tarball, modifies package.json, injects a local script
(bundle.js), repacks the archive, and republishes it,
enabling automatic trojanization of downstream packages.

There is some more information in this
Krebs on Security article.
Read more at LWN.net
https://lwn.net/Articles/1038326/

Related News

npm Self-propagating worm fuels latest npm supply chain compromise TheRegisterSep 16
attack Jaguar Land Rover supply chain workers must get Covid-style support, says union TheRegisterSep 15
packages 1,200 undergrads hung out to dry after jailbreak attack on laundry machines TheRegisterSep 12
downloads Beijing went to 'EggStreme' lengths to attack Philippines military, researchers say TheRegisterSep 11
another More packages poisoned in npm attack, but would-be crypto thieves left pocket change TheRegisterSep 9
package Jaguar Land Rover Extends Shutdown After Cyber Attack SlashdotSep 8
supply-chain Drift massive attack traced back to loose Salesloft GitHub account TheRegisterSep 8
npm Hackers Hijack npm Packages With 2 Billion Weekly Downloads in Supply Chain Attack SlashdotSep 8
attack CISA sounds alarm over TP-Link wireless routers under attack TheRegisterSep 8
packages Supermarket Giant Tesco Sues VMware, Warns Lack of Support Could Disrupt Food Supply SlashdotSep 3
downloads Trump launches attack on offshore wind BoingBoingSep 3
another Cloudflare Stops New World's Largest DDoS Attack Over Labor Day Weekend SlashdotSep 3
package Supermarket giant Tesco sues VMware, warns lack of support could disrupt food supply TheRegisterSep 3
supply-chain WhatsApp warns of 'attack against specific targeted users' TheRegisterSep 1
npm Beta Blockers for Heart Attack Survivors: May Have No Benefit for Most, Could Actually Harm Women SlashdotAug 31
attack Wave of npm supply chain attacks exposes thousands of enterprise developer credentials InfoWorldAug 28
packages Nx NPM packages poisoned in AI-assisted supply chain attack TheRegisterAug 27
downloads Google issued ‘State-backed attack in progress’ warnings after spotting web hijack scheme TheRegisterAug 27
another "Always fight back": Canadian man punches cougar in face to escape attack BoingBoingAug 27
package ZipLine attack uses 'Contact Us' forms, White House butler pic to invade sensitive industries TheRegisterAug 26
News copyright owned by their original publishers | Copyright © 2004 - 2025 Zicos / 440Network
Current Date
Sep, Wed 17 - 00:18 CEST