More information... The popular @ctrl/tinycolor package was compromised in a sophisticated campaign that spread to 40+ packages across multiple maintainers. The malware: • Hijacks the publish process • Injects a malicious script (bundle.js) • Runs automatically on install • Scans for tokens (npm, GitHub, AWS, GCP) • Even drops a GitHub Actions workflow to persist and exfiltrate secrets This is one of the more advanced attacks we’ve seen recently. It targets developers’ machines, CI/CD pipelines, and cloud infra. Socket’s automated malware detection flagged the threat, and our research team is now analyzing the payload in depth. We’ll be publishing a full technical report soon. For now: 👉 Uninstall or pin to safe versions 👉 Rotate exposed tokens 👉 Audit your environments for suspicious publishes