430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

New supply chain attack hits npm registry, compromising 40+ packages

Researchers uncovered a new supply chain attack targeting the npm registry that impacted over 40 packages belonging to multiple maintainers. Security researchers at Socket uncovered a malicious update to @ctrl/tinycolor, a package with 2.2M weekly downloads on npm. While investigating the case, they discovered it was linked to a larger supply chain attack that compromised […]

axios npm Package Contagious Interview campaign NPM

Researchers uncovered a new supply chain attack targeting the npm registry that impacted over 40 packages belonging to multiple maintainers.

Security researchers at Socket uncovered a malicious update to @ctrl/tinycolor, a package with 2.2M weekly downloads on npm. While investigating the case, they discovered it was linked to a larger supply chain attack that compromised over 40 packages from multiple maintainers. The rogue code added a function that tampered with package.json, injected a local script, and republished altered tarballs, automatically trojanizing downstream projects.

The researcher Daniel dos Santos Pereira first spotted suspicious behavior, and Socket’s detection flagged dozens of related threats. Tinycolor drew attention due to its popularity, but it was only one target in a broad campaign still under investigation.

npm Package Compromised in Supply Chain Attack

Socket published the list of packages and versions compromised in the supply chain attack.

The malicious bundle.js downloads the legitimate secret scanner TruffleHog, profiles the host, and then scans files and repos for tokens and cloud credentials. It validates and reuses developer/cloud credentials, drops a GitHub Actions workflow using any available PAT, and exfiltrates findings (base64) to a hardcoded webhook. The script fetches platform-specific TruffleHog binaries, executes them locally, and automates secret theft and repository compromise.

The script scans hosts and repos for environment secrets (e.g., GITHUB_TOKEN, NPM_TOKEN, AWS keys). The malicious code verifies npm tokens via the whoami endpoint before calling GitHub APIs when a token exists. It probes cloud metadata endpoints (AWS/GCP) to harvest short-lived credentials from build agents. The malware also plants a GitHub Actions workflow in repositories, so future CI runs can exfiltrate secrets and artifacts.

“The workflow that it writes to repositories persists beyond the initial host. Once committed, any future CI run can trigger the exfiltration step from within the pipeline where sensitive secrets and artifacts are available by design.” concludes Socket’s report.

The researchers also published Indicators of Compromise for this attack.

Socket recommends developers uninstalling or pinning safe versions, auditing developer and CI/CD environments, rotating npm tokens and exposed secrets, and monitoring logs for unusual npm activity.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, supply chain attack)