Subj : Another npm supply-chain attack
To   : All
From : LWN.net
Date : Tue Sep 16 2025 15:00:09

Another npm supply-chain attack

Date:
Tue, 16 Sep 2025 13:51:53 +0000

Description:
The Socket.dev blog describes
this week's attack on JavaScript packages in the npm repository. A malicious 
update to @ctrl/tinycolor (2.2M weekly
	downloads) was detected on npm as part of a broader supply chain
	attack that impacted more than 40 packages spanning multiple
	maintainers. The compromised versions include a function
	( NpmModule.updatePackage ) that downloads a package
	tarball, modifies package.json , injects a local script
	( bundle.js ), repacks the archive, and republishes it,
	enabling automatic trojanization of downstream packages.

======================================================================
Link to news story:
https://lwn.net/Articles/1038326/


--- Mystic BBS v1.12 A49 (Linux/64)
 * Origin: tqwNet UK HUB @ hub.uk.erb.pw (1337:1/100)

.