We are aware of a number of compromised npm packages using a novel secret scanning tool trick. We are investigating if any of our customers are impacted. We'll share additional analysis from our security research team about this latest compromise that may prove helpful.
One package (@ctrl/tinycolor) has > 8 million monthly downloads
Extends beyond single namespace and includes @ngx, @nativescript-community, and more
30+ packages discovered so far
Steals credentials by fetching from the process environment (AWS keys, GitHub/NPM tokens, etc.) using Trufflehog to scan the filesystem
Exfiltrates secrets to a webhook.site endpoint
NPM is rapidly unpublishing compromised versions
Semgrep Supply Chain customers can check the Advisories Tab to filter and check for dependencies. The Semgrep Rule itself lists impacted packages with known compromised versions.
Security Advisory Updates
If additional guidance is necessary we’ll provide updates here as they are available.
2025-09-15 | 04:23pm PDT, 11:23pm UTC
Socket Research published a blog post with a detailed technical analysis:
https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages
2025-09-15 | 3:45pm PDT, 10:23pm UTC
Reported to the tinycolor project: https://github.com/scttcper/tinycolor/issues/256
2025-09-15 | 11:11am PDT, 06:41pm UTC
LinkedIn Post from Daniel Pereira after discovering an attack exposing secrets.
Vulnerable Package Inventory
Here is a list of the packages that were impacted.
angulartics2@14.1.2
@ctrl/deluge@7.2.2
@ctrl/golang-template@1.4.3
@ctrl/magnet-link@4.0.4
@ctrl/ngx-codemirror@7.0.2
@ctrl/ngx-csv@6.0.2
@ctrl/ngx-emoji-mart@9.2.2
@ctrl/ngx-rightclick@4.0.2
@ctrl/qbittorrent@9.7.2
@ctrl/react-adsense@2.0.2
@ctrl/shared-torrent@6.3.2
@ctrl/tinycolor@4.1.1, @4.1.2
@ctrl/torrent-file@4.1.2
@ctrl/transmission@7.3.1
@ctrl/ts-base32@4.0.2
encounter-playground@0.0.5
json-rules-engine-simplified@0.2.1,0.2.4
koa2-swagger-ui@5.11.1,5.11.2
@nativescript-community/gesturehandler@2.0.35
@nativescript-community/sentry 4.6.43
@nativescript-community/text@1.6.13
@nativescript-community/ui-collectionview@6.0.6
@nativescript-community/ui-drawer@0.1.30
@nativescript-community/ui-image@4.5.6
@nativescript-community/ui-material-bottomsheet@7.2.72
@nativescript-community/ui-material-core@7.2.76
@nativescript-community/ui-material-core-tabs@7.2.76
ngx-color@10.0.2
ngx-toastr@19.0.2
ngx-trend@8.0.1
react-complaint-image@0.0.35
react-jsonschema-form-conditionals@0.3.21
react-jsonschema-form-extras@1.0.4
rxnt-authentication@0.0.6
rxnt-healthchecks-nestjs@1.0.5
rxnt-kue@1.0.7
swc-plugin-component-annotate@1.9.2
ts-gaussian@3.0.6
Recommendations for Triage
Additional steps you could take:
Check for @latest Installs
Review if you leveraged either @latest at the time of compromise, or utilized a compromised version from the list above
Check Logs for Activity
Review your system logs, and CI/CD build systems to verify no calls were made to webhook[.]site to the path bb8ca5f6-4175-45d2-b042-fc9ebb8170b7
Rotate Credentials if Concerned
Rotate all credentials that were compromised and audit logs to determine if additional actions or persistence were attempted with the compromised tokens
Additional NPM Security Advice
Reducing Run Scripts
If your application doesn’t require them from dependencies regularly, you can ignore run-scripts and avoid executing arbitrary code in post install hooks.
Some packages do require installation steps though so this may not be feasible for all cases.
