MUST READ

New supply chain attack hits npm registry, compromising 40+ packages

 | 

Cybercrime group accessed Google Law Enforcement Request System (LERS)

 | 

China-linked Mustang Panda deploys advanced SnakeDisk USB worm

 | 

Insider breach at FinWise Bank exposes data of 689,000 AFF customers

 | 

Hackers steal millions of Gucci, Balenciaga, and Alexander McQueen customer records

 | 

Fairmont Federal Credit Union 2023 data breach impacted 187K people

 | 

UK ICO finds students behind majority of school data breaches

 | 

INC ransom group claimed the breach of Panama’s Ministry of Economy and Finance

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 62

 | 

Security Affairs newsletter Round 541 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

ShinyHunters Attack National Credit Information Center of Vietnam

 | 

FBI warns of Salesforce attacks by UNC6040 and UNC6395 groups

 | 

HybridPetya ransomware bypasses UEFI Secure Boot echoing Petya/NotPetya

 | 

Cisco fixes high-severity IOS XR flaws enabling image bypass and DoS

 | 

Samsung fixed actively exploited zero-day

 | 

UK train operator LNER (London North Eastern Railway) discloses a data breach

 | 

U.S. CISA adds Dassault Systèmes DELMIA Apriso flaw to its Known Exploited Vulnerabilities catalog

 | 

Akira Ransomware exploits year-old SonicWall flaw with multiple vectors

 | 

Google fixes critical Chrome flaw, researcher earns $43K

 | 

Kosovo man pleads guilty to running online criminal marketplace BlackDB

 | 

New supply chain attack hits npm registry, compromising 40+ packages

Pierluigi Paganini September 16, 2025

Researchers uncovered a new supply chain attack targeting the npm registry that impacted over 40 packages belonging to multiple maintainers.

Security researchers at Socket uncovered a malicious update to @ctrl/tinycolor, a package with 2.2M weekly downloads on npm. While investigating the case, they discovered it was linked to a larger supply chain attack that compromised over 40 packages from multiple maintainers. The rogue code added a function that tampered with package.json, injected a local script, and republished altered tarballs, automatically trojanizing downstream projects.

The researcher Daniel dos Santos Pereira first spotted suspicious behavior, and Socket’s detection flagged dozens of related threats. Tinycolor drew attention due to its popularity, but it was only one target in a broad campaign still under investigation.

npm Package Compromised in Supply Chain Attack

Socket published the list of packages and versions compromised in the supply chain attack.

The malicious bundle.js downloads the legitimate secret scanner TruffleHog, profiles the host, and then scans files and repos for tokens and cloud credentials. It validates and reuses developer/cloud credentials, drops a GitHub Actions workflow using any available PAT, and exfiltrates findings (base64) to a hardcoded webhook. The script fetches platform-specific TruffleHog binaries, executes them locally, and automates secret theft and repository compromise.

The script scans hosts and repos for environment secrets (e.g., GITHUB_TOKEN, NPM_TOKEN, AWS keys). The malicious code verifies npm tokens via the whoami endpoint before calling GitHub APIs when a token exists. It probes cloud metadata endpoints (AWS/GCP) to harvest short-lived credentials from build agents. The malware also plants a GitHub Actions workflow in repositories, so future CI runs can exfiltrate secrets and artifacts.

“The workflow that it writes to repositories persists beyond the initial host. Once committed, any future CI run can trigger the exfiltration step from within the pipeline where sensitive secrets and artifacts are available by design.” concludes Socket’s report.

The researchers also published Indicators of Compromise for this attack.

Socket recommends developers uninstalling or pinning safe versions, auditing developer and CI/CD environments, rotating npm tokens and exposed secrets, and monitoring logs for unusual npm activity.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, supply chain attack)

Cybercrime Hacking hacking news information security news IT Information Security malware npm Pierluigi Paganini Security Affairs Security News supply chain attack

you might also like

Pierluigi Paganini September 16, 2025
Cybercrime group accessed Google Law Enforcement Request System (LERS)
Read more
Pierluigi Paganini September 16, 2025
China-linked Mustang Panda deploys advanced SnakeDisk USB worm
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

recent articles

New supply chain attack hits npm registry, compromising 40+ packages

Malware / September 16, 2025

Cybercrime group accessed Google Law Enforcement Request System (LERS)

Security / September 16, 2025

China-linked Mustang Panda deploys advanced SnakeDisk USB worm

APT / September 16, 2025

Insider breach at FinWise Bank exposes data of 689,000 AFF customers

Data Breach / September 16, 2025

Hackers steal millions of Gucci, Balenciaga, and Alexander McQueen customer records

Cyber Crime / September 15, 2025