(socket.dev)

1208 points jamesberthoty | 1 comments | 16 Sep 25 11:22 UTC | HN request time: 0s | source

A lot of blogs on this are AI generated and such as this is developing, so just linking to a bunch of resources out there:

Socket:

- Sep 15 (First post on breach): https://socket.dev/blog/tinycolor-supply-chain-attack-affect...

- Sep 16: https://socket.dev/blog/ongoing-supply-chain-attack-targets-...

StepSecurity – https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-p...

Aikido - https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-...

Ox - https://www.ox.security/blog/npm-2-0-hack-40-npm-packages-hi...

Safety - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack

Phoenix - https://phoenix.security/npm-tinycolor-compromise/

Semgrep - https://semgrep.dev/blog/2025/security-advisory-npm-packages...

Show context

cddotdotslash ◴[16 Sep 25 13:31 UTC] No.45262019[source]▶

>>45260741 (OP) #

I wonder who actually discovered this attack? Can we credit them? The phrasing in these posts is interesting, with some taking direct credit and others just acknowledging the incident.

Aikido says: > We were alerted to a large-scale attack against npm...

Socket says: > Socket.dev found compromised various CrowdStrike npm packages...

Ox says: > Attackers slipped malicious code into new releases...

Safety says: > The Safety research team has identified an attack on the NPM ecosystem...

Phoenix says: > Another supply chain and NPM maintainer compromised...

Semgrep says: > We are aware of a number of compromised npm packages

replies(6): >>45262042 #>>45262074 #>>45262368 #>>45262518 #>>45263064 #>>45263487 #

1. Onavo ◴[16 Sep 25 15:18 UTC] No.45263487[source]▶

>>45262019 #

Usually security companies monitor CVEs and the security mailing lists. That's how they all end up releasing the blog posts at the same time. It's because they are all using the same primary source.

↑

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised