Critical Alert: Massive Supply Chain Attack Hits NPM Ecosystem

Popular：

Virtualization DNS security formal verification reachability analysis compiler errors macro conflict web extension development framework Bitmap Graphics API inconsistencies All Tags

Critical Alert: Massive Supply Chain Attack Hits NPM Ecosystem

2025-09-16

Over 40 npm packages, including the popular @ctrl/tinycolor package (over 2 million weekly downloads), have been compromised in a sophisticated supply chain attack. The attacker used a self-propagating mechanism to infect downstream dependencies, causing a cascading compromise. The payload is a Webpack-bundled script that steals AWS, GCP, GitHub, and other cloud credentials and sensitive information, establishing persistence via GitHub Actions. The attack has resulted in widespread credential theft; immediate action is required to check affected packages and rotate all credentials.

(www.stepsecurity.io)

Development

Shopify's Epic React Native New Architecture Migration

UN Report: Israel Guilty of Genocide in Gaza