A sophisticated supply-chain attack targeted the npm ecosystem via a malicious update to the widely used @ctrl/tinycolor package (TinyColor), which was trojanized to steal developer credentials, GitHub/npm tokens, cloud secrets, and other sensitive data. The compromised version automatically executed hidden code upon installation, exfiltrating stolen information to an external server controlled by attackers. The attack propagated to over 40 downstream packages, amplifying its reach due to TinyColor’s 2+ million weekly downloads.The breach exposed developers’ machines, CI/CD pipelines, and cloud infrastructure, with experts warning of potential long-term compromise if credentials were not rotated. Socket’s team detected the attack, but the scale suggests many developers may have unknowingly integrated the malware. This incident follows another major npm supply-chain attack just 7 days prior, where 18 packages (with 2B+ weekly downloads) were similarly compromised.Victims face risks of unauthorized access to repositories, cloud environments, and proprietary code, with potential downstream exploits in production systems. The attack underscores vulnerabilities in open-source supply chains, where trusted packages can become vectors for large-scale credential theft and infrastructure hijacking.
Source: https://cyberinsider.com/second-major-npm-supply-chain-breach-hits-tinycolor-and-40-packages/
TPRM report: https://www.rankiteo.com/company/socket-protocol
"id": "soc2293322091625",
"linkid": "socket-protocol",
"type": "Cyber Attack",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '2+ million weekly downloads '
'(TinyColor); 40+ downstream '
'packages',
'industry': 'software development',
'location': 'global',
'name': 'npm (Node Package Manager) ecosystem',
'type': 'package registry'},
{'industry': 'software development',
'location': 'global',
'name': 'Developers using TinyColor or downstream '
'packages',
'type': 'individuals/organizations'}],
'attack_vector': ['compromised npm package',
'malicious dependency update',
'automated secret harvesting'],
'customer_advisories': ['Uninstall @ctrl/tinycolor and downstream packages; '
'check for compromise'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['environment variables',
'configuration files',
'token storage'],
'personally_identifiable_information': ['potentially (if '
'tokens linked to '
'personal accounts)'],
'sensitivity_of_data': 'high',
'type_of_data_compromised': ['authentication tokens',
'cloud credentials',
'developer secrets']},
'date_detected': '2025-09-15',
'date_publicly_disclosed': '2025-09-15',
'description': 'A malicious update to the popular npm package TinyColor '
'triggered a supply-chain attack that spread to over 40 other '
'projects, exposing developers to credential-stealing malware. '
'The compromised version of TinyColor contained hidden code '
'designed to automatically search for sensitive data (e.g., '
'GitHub, npm tokens, cloud credentials) and exfiltrate it to '
'an external server. The attack targeted developers’ machines, '
'CI/CD pipelines, and cloud infrastructure, with TinyColor’s '
'2+ million weekly downloads amplifying its reach. Over 40 '
'downstream npm packages were silently modified, raising '
'concerns about widespread compromise. This is the second '
'major npm supply-chain attack in under 10 days, following an '
'incident on September 8, 2025, affecting 18 packages with 2+ '
'billion weekly downloads.',
'impact': {'brand_reputation_impact': ['erosion of trust in npm ecosystem',
'concerns over open-source security'],
'data_compromised': ['GitHub tokens',
'npm tokens',
'cloud credentials',
'developer secrets'],
'identity_theft_risk': ['high (for developers with exposed '
'credentials)'],
'operational_impact': ['compromised build environments',
'potential unauthorized access to '
'repositories/cloud services'],
'systems_affected': ['developer machines',
'CI/CD pipelines',
'cloud infrastructure']},
'initial_access_broker': {'backdoors_established': ['hidden code in package '
'to exfiltrate secrets'],
'entry_point': 'malicious update to @ctrl/tinycolor '
'npm package',
'high_value_targets': ['developer machines',
'CI/CD pipelines',
'cloud credentials']},
'investigation_status': 'ongoing (detailed report pending from Socket)',
'lessons_learned': ['Open-source dependencies require rigorous integrity '
'checks.',
'Automated CI/CD pipelines are high-value targets for '
'credential theft.',
'Supply-chain attacks can rapidly propagate through '
'transitive dependencies.',
'Proactive monitoring (e.g., Socket) is critical for '
'early detection.'],
'motivation': ['credential theft',
'supply-chain compromise',
'potential follow-on attacks (e.g., cloud infrastructure '
'hijacking)'],
'post_incident_analysis': {'root_causes': ['Lack of package integrity '
'verification in npm ecosystem.',
'Over-reliance on automated '
'dependency updates without '
'scrutiny.',
'High trust in popular open-source '
'packages (e.g., TinyColor’s 2M+ '
'weekly downloads).',
'Insufficient isolation of build '
'environments.']},
'recommendations': ['Implement package signing and verification (e.g., npm '
'provenance).',
'Use tools like Socket or Dependabot to detect malicious '
'dependencies.',
'Enforce least-privilege access for CI/CD pipelines and '
'cloud credentials.',
'Regularly audit dependencies for suspicious changes.',
'Rotate credentials periodically and after suspected '
'exposures.',
'Isolate build environments to limit blast radius.'],
'references': [{'date_accessed': '2025-09-15',
'source': 'Socket (via Feross Aboukhadijeh on X/Twitter)',
'url': 'https://x.com/feross/status/[redacted]'},
{'source': 'Socket Blog (upcoming report)'}],
'response': {'communication_strategy': ['public advisory via social media '
'(X/Twitter)',
'detailed report pending from Socket'],
'containment_measures': ['uninstall/roll back affected packages',
'rotate exposed credentials'],
'enhanced_monitoring': ['recommended for affected systems'],
'incident_response_plan_activated': True,
'remediation_measures': ['system audits for signs of compromise',
'dependency integrity checks'],
'third_party_assistance': ['Socket (detection and analysis)']},
'stakeholder_advisories': ['Developers urged to audit systems and rotate '
'credentials'],
'title': 'Supply-Chain Attack via Compromised npm Package TinyColor Exposes '
'Developers to Credential-Stealing Malware',
'type': ['supply-chain attack', 'malware injection', 'credential theft'],
'vulnerability_exploited': ['trust in open-source dependencies',
'lack of package integrity verification',
'automated CI/CD pipeline execution']}