MacMusic  |  PcMusic  |  440 Software  |  440 Forums  |  440TV  |  Zicos
npm
Search

Another npm supply-chain attack

Tuesday September 16, 2025. 03:51 PM , from LWN.net
The Socket.dev blog describes
this week's attack on JavaScript packages in the npm repository.

A malicious update to @ctrl/tinycolor (2.2M weekly
downloads) was detected on npm as part of a broader supply chain
attack that impacted more than 40 packages spanning multiple
maintainers.

The compromised versions include a function
(NpmModule.updatePackage) that downloads a package
tarball, modifies package.json, injects a local script
(bundle.js), repacks the archive, and republishes it,
enabling automatic trojanization of downstream packages.

There is some more information in this
Krebs on Security article.
Read more at LWN.net
https://lwn.net/Articles/1038326/

Related News

npm Volvo North America confirms staff data stolen following ransomware attack on IT supplier TheRegisterSep 26
attack DDoS attack volumes surge 41 percent as threats rapidly evolve BetaNewsSep 25
packages Tech investment is needed to fight geopolitical risk to supply chains BetaNewsSep 25
downloads Zero-day deja vu as another Cisco IOS bug comes under attack TheRegisterSep 25
another Record-Breaking DDoS Attack Peaks At 22 Tbps and 10 Bpps SlashdotSep 25
package This AI-Powered Robot Keeps Going Even if You Attack It With a Chainsaw Wired: Tech.Sep 24
supply-chain Jaguar Land Rover Hack 'Has Cost 30,000 Cars and Threatens Supply Chain' SlashdotSep 24
npm New attack tactics look to bypass MFA and target security blindspots BetaNewsSep 23
attack Cops cuff another teen over alleged Scattered Spider attack that broke Vegas casinos TheRegisterSep 22
packages NPM attacks and the security of software supply chains InfoWorldSep 22
downloads A Cyberattack on Jaguar Land Rover Is Causing a Supply Chain Disaster Wired: Tech.Sep 22
another Ransomware attack linked to museum break-in and theft of golden exhibits TheRegisterSep 22
package Secure Software Supply Chains, Urges Former Go Lead Russ Cox SlashdotSep 21
supply-chain Internal chaos after a cyberattack causes more damage than the attack itself BetaNewsSep 19
npm Two Scattered Spider teens charged over attack on London’s transport network TheRegisterSep 18
attack Ruh-roh. DDR5 memory vulnerable to new Rowhammer attack TheRegisterSep 17
packages Self-propagating worm fuels latest npm supply chain compromise TheRegisterSep 16
downloads Jaguar Land Rover supply chain workers must get Covid-style support, says union TheRegisterSep 15
another 1,200 undergrads hung out to dry after jailbreak attack on laundry machines TheRegisterSep 12
package Beijing went to 'EggStreme' lengths to attack Philippines military, researchers say TheRegisterSep 11
News copyright owned by their original publishers | Copyright © 2004 - 2025 Zicos / 440Network
Current Date
Oct, Fri 31 - 23:25 CET