@ctrl/tinycolor Supply Chain Attack Post-mortem
TL;DR A malicious GitHub Actions workflow was pushed to a shared repo and exfiltrated a npm token with broad publish rights. The attacker then used that token to publish malicious versions of 20 packages, including @ctrl/tinycolor. My GitHub account, the @ctrl/tinycolor repository were not directly compromised. There was no phishing involved, and no malicious packages were installed on my machine
pnpm 10.16 | pnpm
Minor Changes New setting for delayed dependency updates There have been several incidents recently where popular packages were successfully attacked. To reduce the risk of installing a compromised version, we are introducing a new setting that delays the installation of newly released dependencies. In most cases, such attacks are discovered quickly and the malicious versions are removed from th
ctrl/tinycolor and 40+ NPM Packages Compromised - StepSecurity
Executive SummaryThe NPM ecosystem is facing another critical supply chain attack. The popular @ctrl/tinycolor package, which receives over 2 million weekly downloads, has been compromised along with more than 40 other packages across multiple maintainers. This attack demonstrates a concerning evolution in supply chain threats - the malware includes a self-propagating mechanism that automatically
Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised | Hacker News
A lot of blogs on this are AI generated and such as this is developing, so just linking to a bunch of resources out there:Socket: - Sep 15 (First post on breach): https://socket.dev/blog/tinycolor-supply-chain-attack-affect... - Sep 16: https://socket.dev/blog/ongoing-supply-chain-attack-targets-... StepSecurity – https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-p... Aikido - https://www
1
リリース、障害情報などのサービスのお知らせ
最新の人気エントリーの配信
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
Pnpm has a new setting to stave off supply chain attacks | Hacker News
Tinycolor supply chain attack post-mortem | Hacker News
Add support to minimumReleaseAge and minimumReleaseAgeExclude for `bun install` · Issue #22679 · oven-sh/bun
bun is also working on it: https://github.com/oven-sh/bun/issues/22679 | Hacker News
pnpm just added this: https://pnpm.io/blog/releases/10.16 | Hacker News