In the last several weeks, we’ve seen a sharp escalation in supply-chain attacks: what once seemed rare or exotic is now frequent, sophisticated, and far-reaching. We want our customers to understand the recent incidents, how they compare, and most importantly what to do to stay protected.
What’s Happened Lately
1. Tinycolor / “@ctrl/tinycolor” Attack (Mid-September 2025)
- A malicious update to @ctrl/tinycolor (~2.2M weekly downloads) was used as part of a broader campaign compromising over 40 npm packages.
- The attack works by injecting a script (bundle.js) via a function in the package’s code that repacks downstream dependencies. The script does secret scanning (using TruffleHog), harvests tokens and cloud credentials from environments (developer machines, CI/CD), and even creates GitHub Action workflows to maintain persistence and further exfiltrate data.
- The exfiltration happens via a hardcoded webhook, and the attack runs automatically upon installation of the compromised package.
- Key indicators: presence of bundle.js, unexpected modifications to package.json in downstream packages, unusual GitHub Action workflows, suspicious network calls to unknown webhooks.
2. The CrowdStrike “Scavenger” Compromise (July 2025)
- Attackers compromised npm maintainer credentials via phishing / typosquatted domains.
- They pushed malicious versions of packages like eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall.
- The malicious loader script (install.js) invoked node-gyp.dll, stole .npmrc tokens, and dropped a second-stage infostealer targeting browser data. A CVE (CVE-2025-54313) was issued.
3. September npm Breach (Early September 2025)
- A maintainer account (“qix”) compromised via phishing email (fake npm support domain).
- Attackers pushed malicious updates to many of the most popular npm libraries: chalk, debug, ansi-styles, etc. Billions of weekly downloads.
- The payload focused on crypto theft, e.g. intercepting Web3 interactions and replacing wallet addresses, redirecting funds.
What All These Attacks Share & Why They’re Dangerous
- Adversaries are using account compromise + phishing + malicious package updates to piggy-back on trusted tools.
- The compromise sometimes implies that downstream packages (and everything depending on them) get infected without the maintainers or users immediately knowing.
- Persistence mechanisms are becoming more advanced — e.g. injecting workflows, modifying packages automatically, exfiltration inside CI/CD pipelines.
- Tokens, environment variables, cloud credentials are high-value targets; once those are leaked, attackers often gain further access.
How To Protect Yourself (Now)
Here are concrete steps you and your team should take:
- Audit dependencies: check for usage of vulnerable versions from Tinycolor, CrowdStrike-compromised packages, or any npm library flagged in recent advisories.
- Pin & lock versions: Use package lock files. Avoid auto upgrading without reviewing.
- Use strong authentication: hardware 2FA, email verification, restrict permissions.
- Monitor CI/CD & developer environments: scan for unusual workflows, unexpected
bundle.jsscripts, changes inpackage.json, or oddnpm publishevents. - Rotate secrets: If any of the compromised packages were used in machines/environments where secrets/tokens are stored, rotate them.
- Run SBOMs / dependency scanning: Use tools that can flag supply chain risk.
- Limit blast radius: minimize the privileges of build accounts, limit what credentials those accounts have.
Final Thoughts
What’s emerging is that supply chain attacks are evolving not just in scale but in sophistication. We’re seeing:
- Malicious code that persists through CI workflows, not just at install time.
- Scripts that auto-infect downstream packages, making detection harder.
- Multiple campaigns overlapping (Tinycolor, CrowdStrike, qix-npm) showing that this is not a one-off.
At Tahcil Consulting, we’re intensifying our own threat monitoring, tightening dependency policies, and helping customers assess their exposure. If you want us to help run a dependency audit, check your CI/CD pipeline, or review your build environments, we’re ready to support you.
Stay vigilant — because in today’s software landscape, trust has to be earned repeatedly, not assumed once.