NPM Supply Attack: Malicious Tinycolor Steals Secrets Using TruffleHog
In a supply chain attack, the trending npm package, @ctrl/tinycolor, was in the target. Dastardly versions steal secrets through TruffleHog scanning.
The npm package ecosystem has been compromised by a massive supply chain attack with a target on the popular package of the ecosystem, which is the tinycolor package of the control group, and over forty more packages.
These malicious versions contain a hidden script that silently robs sensitive developer secrets, and this has caused panic within the development community.
The attack involves the use of TruffleHog, which is a legitimate secret scanning tool to search and exfiltrate tokens and cloud credentials within infected machines.
Malicious Versions Infect 40+ Packages, Raising Alarms
The altered versions of the @ctrl/tinycolor (4.1.1 and 4.1.2) include a function that downloads a package, alters its contents, loads a malicious script called bundle.js and repackages the package, and republishes it again.
This creates self-replicating malware that automatically infects subsequent packages maintained by the same authors.
It affected over 40 packages in a variety of maintainers, including other packages scoped to include @ctrl as well as community modules.
The bundle.js file executes on package installation. It then downloads and runs TruffleHog, which searches the machine and repositories of the developer with sensitive tokens, such as GitHub personal access tokens, npm authentication tokens, and cloud service keys, such as AWS and GCP keys.
On discovering these secrets, it steals them to a hard-coded external webhook address, revealing the personal credentials of the users without their awareness.
It is not a local machine campaign. It also overwrites malicious GitHub Actions workflows in infected repositories.
Continuous integration settings can activate this workflow to relay stolen secrets over time to facilitate continuous data leaks.
Self-Spreading Malware Creates Cascading Compromise
The malware spreads automatically with the help of the NpmModule.updatePackage function that allows infecting other packages that are maintained by the same developers.
Such worm-like behaviour creates a chain of supply-chain compromise that spreads automatically after the initial infection, without requiring manual intervention.
Among the environment variables targeted by the attack are those of GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY.
It authenticates tokens in npm and GitHub API, then employs them to write the durable malicious workflows.
Such measures keep the malware in place during subsequent CI executions and theft of secrets throughout the development pipelines.
Security professionals encourage developers to issue an emergency audit and delete any affected version of a package.
They suggest rotating any leaked tokens and secrets and tracking abnormal publishing or network traffic to the exfiltration hosts. Detective Daniel dos Santos Pereira was the first to notice the malicious payload and its effects with the help of the automated malware scanner of Socket.
You May Also Like
In 2025, global cryptocurrency investors will rush to purchase Pioneer Hash smart cloud mining contracts, allowing you to earn a daily incomethatneverstops!
MakinaFi suffered an attack that resulted in the loss of approximately 1299 ETH, with some funds being preemptively processed by MEV.
