(socket.dev)

1208 points jamesberthoty | 2 comments | 16 Sep 25 11:22 UTC | HN request time: 1.445s | source

A lot of blogs on this are AI generated and such as this is developing, so just linking to a bunch of resources out there:

Socket:

- Sep 15 (First post on breach): https://socket.dev/blog/tinycolor-supply-chain-attack-affect...

- Sep 16: https://socket.dev/blog/ongoing-supply-chain-attack-targets-...

StepSecurity – https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-p...

Aikido - https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-...

Ox - https://www.ox.security/blog/npm-2-0-hack-40-npm-packages-hi...

Safety - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack

Phoenix - https://phoenix.security/npm-tinycolor-compromise/

Semgrep - https://semgrep.dev/blog/2025/security-advisory-npm-packages...

1. rpodraza ◴[17 Sep 25 15:53 UTC] No.45277340[source]▶

>>45260741 (OP) #

Someone should eradicate the npm ecosystem and start from scratch. No sane package manager would allow to run arbitrary scripts or download stuff from God knows where, like random github repos.

replies(1): >>45277556 #

2. Aperocky ◴[17 Sep 25 16:04 UTC] No.45277556[source]▶

>>45277340 (TP) #

npm is now a private company right? It does also look like they have already gone through enshittification and don't even seem to have publicly acknowledged this attack.

↑

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised