New Supply Chain Attack Hits npm Registry, Compromising 40+ Packages
A recent discovery by security researchers at Socket has uncovered a new supply chain attack targeting the npm registry, leaving over 40 packages belonging to multiple maintainers vulnerable to compromise. The malicious update was found in the popular @ctrl/tinycolor package, which boasts an impressive 2.2 million weekly downloads on npm.
The investigation into the breach revealed that the rogue code introduced a function that tampered with package.json files, injected local scripts, and republished altered tarballs. This malicious behavior automatically trojanized downstream projects, putting their security at risk.
The Scope of the Attack
While tinycolor drew attention due to its popularity, it was only one target in a broader supply chain attack that still remains under investigation. Socket has published a list of packages and versions compromised in the attack, highlighting the severity of the issue.
How the Malware Works
The malicious bundle.js downloads the legitimate secret scanner TruffleHog, profiles the host, and then scans files and repos for tokens and cloud credentials. It validates and reuses developer/cloud credentials, drops a GitHub Actions workflow using any available PAT, and exfiltrates findings (base64) to a hardcoded webhook.
The script fetches platform-specific TruffleHog binaries, executes them locally, and automates secret theft and repository compromise. It scans hosts and repos for environment secrets (e.g., GITHUB_TOKEN, NPM_TOKEN, AWS keys). The malicious code verifies npm tokens via the whoami endpoint before calling GitHub APIs when a token exists.
It also probes cloud metadata endpoints (AWS/GCP) to harvest short-lived credentials from build agents. The malware plants a GitHub Actions workflow in repositories, so future CI runs can exfiltrate secrets and artifacts. This allows the attackers to persist beyond the initial host, as concluded by Socket's report.
Indicators of Compromise
Socket has also published Indicators of Compromise for this attack, providing a valuable resource for developers and security professionals seeking to identify potential vulnerabilities in their own projects.
Recommendations
Socket recommends the following steps to mitigate the impact of this supply chain attack:
- Uninstall or pin safe versions of affected packages
- Audit developer and CI/CD environments for potential vulnerabilities
- Rotate npm tokens and exposed secrets to prevent unauthorized access
- Monitor logs for unusual npm activity, such as unexpected package updates or unauthorized access attempts
Stay Safe Online
As with any supply chain attack, it's essential to remain vigilant and proactive in protecting your digital assets. By following Socket's recommendations and staying informed about the latest security threats, you can help ensure your projects stay secure and up-to-date.
Follow me on Twitter: @securityaffairs for the latest news and updates on cybersecurity and supply chain attacks.
Also, find me on Facebook and Mastodon (SecurityAffairs – hacking, supply chain attack) for more in-depth analysis and expert insights.