Hackers strike NPM again.
By Maxime Laurent · 2025-09-16 07:01
Hackers strike NPM again.
Another day, another supply chain mess — this time it’s the popular ctrl/tinycolor library, with over 2.2M downloads per week. The latest versions were poisoned with an infostealer: once installed, it scans your system and quietly steals sensitive data. 🕵️♂️💻
The sneaky part? Attackers disguised the payload as TruffleHog, a legit tool used to scan for secrets. So on the surface, it looked like developers were just pulling in a security utility… while in reality, they were handing their keys to thieves.
NPM, the backbone of JavaScript/Node.js, is once again exposed as a soft underbelly of the software world. Millions of devs trust it blindly to fetch packages, but every such attack shows the same truth: in Web2 or Web3, the weakest link is often the supply chain.
For crypto users, that risk is even sharper: one malicious dependency can mean your wallets, your API keys, your private repos — gone. Moral of the story: jamais installer sans vérifier. ⚠️
#CryptoSecurity #NPM #SupplyChain #Hack #Web3
Another day, another supply chain mess — this time it’s the popular ctrl/tinycolor library, with over 2.2M downloads per week. The latest versions were poisoned with an infostealer: once installed, it scans your system and quietly steals sensitive data. 🕵️♂️💻
The sneaky part? Attackers disguised the payload as TruffleHog, a legit tool used to scan for secrets. So on the surface, it looked like developers were just pulling in a security utility… while in reality, they were handing their keys to thieves.
NPM, the backbone of JavaScript/Node.js, is once again exposed as a soft underbelly of the software world. Millions of devs trust it blindly to fetch packages, but every such attack shows the same truth: in Web2 or Web3, the weakest link is often the supply chain.
For crypto users, that risk is even sharper: one malicious dependency can mean your wallets, your API keys, your private repos — gone. Moral of the story: jamais installer sans vérifier. ⚠️
#CryptoSecurity #NPM #SupplyChain #Hack #Web3
Disclaimer: This content is for informational purposes only and not financial advice.