npm

@ctrl/tinycolor

@ctrl/tinycolor is identified in the SafeDep analysis "npm Supply Chain Attack Exposes Private Repositories, AWS Credentials and More". npm supply chain attacks continue. This time targeting @ctrl/tinycolor and multiple other packages with credential stealer malware. In this blog, we will analyze the attack and its impact on the npm ecosystem. We will also look at common attack patterns that are being used to target maintainers.

discovered 2025-09-16

Threat types

credential_stealerdata_exfiltration

Malicious versions

4.1.1

Campaigns

Shai-Huludattributed-to

Indicators

domainwebhook.sitecommunicates-with
sha256bc18414929992e8e8d2211f9c51ebc7241294a1af3cfdbdd5ca417974b2dac0bindicates
sha25646faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09indicates
email[email protected]exfiltrates-to
email[email protected]exfiltrates-to

Techniques

ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
ttpT1552.001 Unsecured Credentials: Credentials In Filesuses
ttpT1041 Exfiltration Over C2 Channeluses
ttpT1528 Steal Application Access Tokenuses
ttpT1105 Ingress Tool Transferuses
ttpT1071.001 Application Layer Protocol: Web Protocolsuses
ttpT1102 Web Serviceuses
ttpT1546 Event Triggered Executionuses
ttpT1021 Remote Servicesuses
ttpT1098 Account Manipulationuses
ttpT1027 Obfuscated Files or Informationuses

Read the full analysis →