An attack on the NPM supply chain occurred again, @ctrl/tinycolor released a malicious version

PANews September 16th news, Scam Sniffer has monitored another attack on the NPM supply chain. @ctrl/tinycolor (downloaded 2.2 million times per week) released a malicious version, which will run an information stealing program when npm executes a postinstall (after installation) script to scan and steal sensitive data. This malicious payload abuses the legal sensitive information scanning tool TruffleHog. Please check if the affected version was downloaded, pause the installation/update operation, and pin the version to a known safe version.