Blog

Home News A popular NPM package, “@ctrl/tinycolor,” with 2.2 million weekly downloads, has been subjected to a supply chain attack, containing a malicious information stealer.

A popular NPM package, "@ctrl/tinycolor," with 2.2 million weekly downloads, has been subjected to a supply chain attack, containing a malicious information stealer.

16 September 2025

BlockBeats News, September 16th, according to Scam Sniffer warning, the NPM package ‘@ctrl/tinycolor’ with a weekly download volume of 2.2 million was implanted with a malicious version, running an information stealer during the npm postinstall process, utilizing the legitimate tool TruffleHog to scan and exfiltrate sensitive data. Currently, it has affected approximately 40 related dependencies. Users should immediately check if they have installed the affected version, pause updates, and lock to a secure version.

Blog

A popular NPM package, "@ctrl/tinycolor," with 2.2 million weekly downloads, has been subjected to a supply chain attack, containing a malicious information stealer.

Related articles

BlackRock deposits 566 BTC and 7552 ETH into Coinbase.

Wallet provider Exodus expects to reach a net loss of $11 million by 2025

GoPlus: Among the Top 100 Skills in the ClawHub ecosystem, 21% have clearly high-risk operations