The NPM package "@ctrl/tinycolor" with a weekly download volume of 2.2 million times was attacked by the supply chain, containing a malicious information stealer

According to BlockBeats, on September 16, according to Scam Sniffer's warning, the NPM package "@ctrl/tinycolor" with a weekly download of 2.2 million was implanted into a malicious version. It runs an information stealer during the npm postinstall process, and uses the legal tool TruffleHog to scan and leak sensitive data. At present, about 40 related dependencies have been affected. Users should immediately check whether the affected version is installed, pause updates, and lock the secure version.