An attack on the NPM supply chain has occurred again, @ctrl/tinycolor releases a malicious version

According to ChainCatcher, Scam Sniffer monitored another attack on the NPM supply chain. @ctrl/tinycolor (downloaded 2.2 million times per week) released a malicious version that will run an information stealer when npm executes a postinstall script to scan and steal sensitive data. This malicious payload abuses the legal sensitive information scanning tool TruffleHog. Please check if the affected version was downloaded, pause the installation/update operation, and pin the version to a known safe version.