ctrl-tinycolor - isotope¹³

Incident Summary

@ctrl/tinycolor NPM Package Compromise (Shai-Hulud)

An attacker targeted a shared repository (angulartics2) where the maintainer had admin rights. They pushed a malicious branch (Shai-Hulud) containing a GitHub Actions workflow that immediately ran, exfiltrating a static npm token with broad publish rights. The attacker then published malicious versions of approximately 20 packages, including @ctrl/tinycolor, containing a malicious postinstall script.

Date: 2025-09-15
Category: Open Source
Target Surface: Package registry
Insertion Phase: distribution
Impact: Code Execution
Cause: Compromised Account/Credentials

What Was Affected

Package ctrl-tinycolor

LanguageJavaScript

ComponentLibrary

Artifact typesource archive

Domain typepackage host

Domain npmjs.com

Compromised Versions

4.1.1
4.1.2

Incident Context

Motive: Credential Theft
Attribution: Third Party
Transitive: No
User Impact: 2000000
Observed Duration: 0 days

Indicators and Changes

Hashes

sha256:46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09

External References

sigh.dev/posts/ctrl-tinycolor-post-mortem

Source Data

Source record: oss/ctrl-tinycolor/meta.yaml