@ctrl/tinycolor hit by Shai-Hulud
Part of the Shai-Hulud npm worm stole developer secrets campaign
An attacker targeted a shared repository (angulartics2) where the maintainer had admin rights. They pushed a malicious branch (Shai-Hulud) containing a GitHub Actions workflow that immediately ran, exfiltrating a static npm token with broad publish rights.
Story
@ctrl/tinycolor was not compromised through its own repository. The maintainer still had admin rights on a shared repository, angulartics2, which held an npm token with broad publish authority.
An attacker force-pushed a Shai-Hulud branch to that shared repository. Because the actor had admin-level access, the malicious GitHub Actions workflow ran without pull request review and exfiltrated the npm token.
The stolen token was enough. The attacker published malicious versions of @ctrl/tinycolor and other packages, and the bad releases carried the Shai-Hulud postinstall payload. @ctrl/tinycolor mattered most because it had roughly two million weekly downloads.
npm and GitHub removed the malicious versions quickly. The maintainer revoked tokens, republished clean packages to flush caches, and moved toward tighter publishing controls with package-scoped tokens and Trusted Publishing.
Affected Artifacts
- Observed
- 2025-09-15
- Fixed
- Not listed
- Hashes
-
- sha256:46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09
- Evidence
- distribution: npmjs.com/package/@ctrl/tinycolor/v/4.1.1, distribution: npmjs.com/package/@ctrl/tinycolor/v/4.1.2, branch: Shai-Hulud, repository: angulartics2
Incident Context
- Motive
- Credential Theft
- Attribution
- Group
- Cause
- Compromised Account Credentials
- Transitive
- No
- Actor
- Third Party
- User Impact
- 2000000
External References
Source record: oss/attacks/ctrl-tinycolor/meta.yaml