Self-Spreading Malware Discovered in NPM Packages — Over 40 Projects Affected Including @ctrl/tinycolor

A significant new supply chain incident has rocked the open-source ecosystem. A malicious campaign infiltrated dozens of NPM packages, including one of the most widely used color manipulation libraries downloaded millions of times weekly.

Unlike previous attacks, this one introduced worm-like, self-spreading malware capable of infecting other projects without direct attacker involvement. Once inside a developer’s environment, the malware automatically injected itself into additional packages maintained by the victim—causing a ripple effect across the software landscape.

How the Malware Works

• A built-in propagation engine enables it to modify other projects under the same developer’s account.
• It hunts for sensitive credentials using a repurposed open-source scanner. Targeted secrets include NPM tokens, GitHub keys, and major cloud provider credentials.
• Persistence is achieved through the creation of a hidden workflow file inside .github/workflows/, ensuring long-term control of compromised repositories.
• Stolen data was routed to an exposed collection endpoint.

Why This Attack Stands Out

Most supply chain compromises rely on social engineering or manual package tampering. Here, the malware acted like a worm—automatically spreading and harvesting secrets on its own. This automation greatly increases the potential blast radius, posing serious risks to the entire ecosystem.

What Developers Should Do Now

• Audit Dependencies: Check all projects for the impacted packages and downgrade to safe versions.
• Rotate Secrets: Immediately reset any tokens, keys, or credentials stored locally or within CI/CD pipelines.
• Hunt for Persistence: Review repositories for suspicious workflow files or unauthorized publishing activity.
• Monitor Traffic: Flag any connections to unusual endpoints that may indicate data exfiltration.

Known Affected Packages

Below are confirmed packages and versions containing malicious code:

• @ctrl/tinycolor → 4.1.1, 4.1.2
• @ctrl/deluge → 7.2.2
• angulartics2 → 14.1.2
• @ctrl/golang-template → 1.4.3
• @ctrl/magnet-link → 4.0.4
• @ctrl/ngx-codemirror → 7.0.2
• @ctrl/ngx-csv → 6.0.2
• @ctrl/ngx-emoji-mart → 9.2.2
• @ctrl/ngx-rightclick → 4.0.2
• @ctrl/qbittorrent → 9.7.2
• @ctrl/react-adsense → 2.0.2
• @ctrl/shared-torrent → 6.3.2
• @ctrl/torrent-file → 4.1.2
• @ctrl/transmission → 7.3.1
• @ctrl/ts-base32 → 4.0.2
• encounter-playground → 0.0.5
• json-rules-engine-simplified → 0.2.4
• @nativescript-community/gesturehandler → 2.0.35
• @nativescript-community/sentry → 4.6.43
• @nativescript-community/text → 1.6.13
• @nativescript-community/ui-collectionview → 6.0.6
• @nativescript-community/ui-drawer → 0.1.30
• @nativescript-community/ui-image → 4.5.6
• @nativescript-community/ui-material-bottomsheet → 7.2.72
• @nativescript-community/ui-material-core → 7.2.76
• @nativescript-community/ui-material-core-tabs → 7.2.76
• ngx-color → 10.0.2
• ngx-toastr → 1.9.0.2
• ngx-trend → 8.0.1
• react-complaint-image → 0.0.35
• react-jsonschema-form-conditionals → 0.3.21
• react-jsonschema-form-extras → 1.0.4
• rxnt-authentication → 0.0.6
• rxnt-healthchecks-nestjs → 1.0.5
• rxnt-kue → 1.0.7
• swc-plugin-component-annotate → 1.9.2
• ts-gaussian → 3.0.6

Final Thought:

This incident is a reminder that supply chain security must evolve. Automated, worm-like malware in open-source packages represents a new frontier in attacks. Developers, maintainers, and organizations alike should stay vigilant, implement strong secret management practices, and regularly audit dependencies to reduce exposure.

Stay informed with our latest reports:

August Cybersecurity Report:

A comprehensive review of global cybersecurity incidents and trends for August 2025. Read it here: August Cybersecurity Report 2025

As cyber risks grow more sophisticated, proactive measures are crucial. Stay ahead of the curve with our latest research and expert insights.

Boost Your Cybersecurity with Foresiet

In a world where cyber threats constantly change and evolve, businesses need to stay one step ahead. Foresiet's Integrated Digital Risk Protection (IDRP) platform combines the best of automated threat detection and human-generated insights.

This combination helps reduce the areas where your organization might be vulnerable, increase your visibility into potential threats, and ensure you're meeting all necessary security standards.

Why opt for Foresiet?

• Unified threat monitoring: Keep a close eye on your entire digital presence.
• Brand and attack surface protection: Protect your company's reputation.
• Proactive threat intelligence: Stay ahead of potential threats.
• Compliance automation: Make risk management easier.
• Advanced phishing protection: Keep your communication channels secure.

Don't let your organization become an easy target — choose Foresiet.

📩 Get started: Send an email to info@foresiet.com

🌐 Visit us: Check out our website at Foresiet.com

Author: Foresiet

Foresiet Integrated Digital Risk Protection (IDRP)