周下载量 220 万次的 NPM 包 “@ctrl/tinycolor” 遭供应链攻击,含恶意信息窃取器
9월 16, 2025 09:52:59
Share to 
ChainCatcher 消息,据 Scam Sniffer 警告,周下载量 220 万的 NPM 包 “@ctrl/tinycolor” 被植入恶意版本,在 npm postinstall 过程中运行信息窃取器,利用合法工具 TruffleHog 扫描并外泄敏感数据。目前已波及约 40 个相关依赖包。用户应立即检查是否安装受影响版本,暂停更新,并锁定安全版本。
Latest News
OpenAI has launched GPT-5.2-Codex, optimized for deep coding of agents
ChainCatcher
12月 19, 2025 09:03:52
CF Benchmarks predicts that the price of Bitcoin will reach 1.4 million dollars by 2035
ChainCatcher
12月 19, 2025 09:03:02
CZ: Encrypted payments require comprehensive privacy solutions
ChainCatcher
12月 19, 2025 09:01:46
The Pump.fun class action lawsuit is allowed to submit new evidence of MEV trading behavior
ChainCatcher
12月 19, 2025 08:49:56
Cardano founder criticizes Trump's crypto policy for harming the industry's prospects
ChainCatcher
12月 19, 2025 08:37:48
