SafeDep Blog

npm supply chain attacks continue. This time targeting @ctrl/tinycolor and multiple other packages with credential stealer malware. In this blog, we will analyze the attack and its impact on the npm ecosystem. We will also look at common attack patterns that are being used to target maintainers.

Complete analysis of sophisticated crypto wallet drainer found in 21 npm packages with over one billion weekly downloads. Includes detailed technical breakdown of 76KB malware payload disguised in [email protected] and multi-stage attack architecture.

The popular npm package `nx` was compromised, targeting Linux and macOS developers. Malicious versions included a postinstall script that stole credentials, exfiltrated sensitive files, and added destructive commands to shell configs, causing system shutdowns and data leaks.

A malicious NPM package targeting TensorFlow users was discovered on npm. The package uses typosquatting to target the popular `tensorflow` package.

Multiple malicious Python packages targeting crypto developers and their applications using typosquatting were discovered on PyPI. The packages were used to steal funds by executing a stealthy staking operation.

PEP 723 introduces inline metadata for Python scripts, making tools like `uv` more convenient—but also potentially more dangerous. This post explores security pitfalls when dependencies are declared inside code files.