Techly NewsGet the app

Get the latest tech news

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised


The popular @ctrl/tinycolor package with over 2 million weekly downloads has been compromised alongside 40+ other NPM packages in a sophisticated supply chain attack. The malware self-propagates across maintainer packages, harvests AWS/GCP/Azure credentials using TruffleHog, and establishes persistence through GitHub Actions backdoors - representing a major escalation in NPM ecosystem threats.

This attack demonstrates a concerning evolution in supply chain threats - the malware includes a self-propagating mechanism that automatically infects downstream packages, creating a cascading compromise across the ecosystem. The attack employs several evasion techniques including silent error handling (swallowed via catch {} blocks), no logging output, and disguising TruffleHog execution as a legitimate "security scan." By implementing Artifact Monitor, organizations can catch supply chain compromises within minutes rather than hours or days, significantly reducing the window of exposure to malicious packages.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of packages

packages

Related news:

News photo

Active NPM supply chain attack: Tinycolor and 40 Packages Compromised

News photo

More packages poisoned in npm attack, but would-be crypto thieves left pocket change

News photo

Survey Finds More Python Developers Like PostgreSQL, AI Coding Agents - and Rust for Packages

« Campaigners urge EU to mandate 15 years of OS updates
Migrating to React Native's new architecture »