malware npm

@ctrl/tinycolor

discovered 2025-09-16

@ctrl/tinycolor is identified in the SafeDep analysis "npm Supply Chain Attack Exposes Private Repositories, AWS Credentials and More". npm supply chain attacks continue. This time targeting @ctrl/tinycolor and multiple other packages with credential stealer malware. In this blog, we will analyze the attack and its impact on the npm ecosystem. We will also look at common attack patterns that are being used to target maintainers.

more…

Threat types

credential_stealer data_exfiltration

Malicious versions

4.1.1

Campaigns

Shai-Huludattributed-to

Indicators

domain webhook.sitecommunicates-with
sha256 bc18414929992e8e8d2211f9c51ebc7241294a1af3cfdbdd5ca417974b2dac0bindicates
sha256 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09indicates
email scttcper@gmail.comexfiltrates-to
email github_token@github.comexfiltrates-to

Techniques

ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
ttp T1041 Exfiltration Over C2 Channeluses
ttp T1528 Steal Application Access Tokenuses
ttp T1105 Ingress Tool Transferuses
ttp T1071.001 Application Layer Protocol: Web Protocolsuses
ttp T1102 Web Serviceuses
ttp T1546 Event Triggered Executionuses
ttp T1021 Remote Servicesuses
ttp T1098 Account Manipulationuses
ttp T1027 Obfuscated Files or Informationuses

Read the full analysis →