Bryce Boe
@bryceboe.com
Dad, husband, software engineer @ Netflix, and educator.
Reposted by Bryce Boe
🚨 Malicious update to @ctrl/tinycolor on npm is part of an active supply chain attack hitting 40+ packages across multiple maintainers. Audit & remove affected versions.
Our analysis of the malware: socket.dev/blog/tinycol... #NodeJS #JavaScript
Our analysis of the malware: socket.dev/blog/tinycol... #NodeJS #JavaScript
Popular Tinycolor npm Package Compromised in Supply Chain At...
Malicious update to @ctrl/tinycolor on npm is part of a supply-chain attack hitting 40+ packages across maintainers
socket.dev
September 15, 2025 at 11:23 PM
🚨 Malicious update to @ctrl/tinycolor on npm is part of an active supply chain attack hitting 40+ packages across multiple maintainers. Audit & remove affected versions.
Our analysis of the malware: socket.dev/blog/tinycol... #NodeJS #JavaScript
Our analysis of the malware: socket.dev/blog/tinycol... #NodeJS #JavaScript
Reposted by Bryce Boe
Honestly serious: JUST DON'T UPDATE PACKAGES RIGHT NOW.
It is unclear to me yet, but this is looking pretty wide spread. Better be safe than sorry, just go touch some grass.
It is unclear to me yet, but this is looking pretty wide spread. Better be safe than sorry, just go touch some grass.
Do not update to @ctrl/tinycolor@4.1.2. It has malware that is currently live on npm.
September 15, 2025 at 10:29 PM
Honestly serious: JUST DON'T UPDATE PACKAGES RIGHT NOW.
It is unclear to me yet, but this is looking pretty wide spread. Better be safe than sorry, just go touch some grass.
It is unclear to me yet, but this is looking pretty wide spread. Better be safe than sorry, just go touch some grass.
Reposted by Bryce Boe
Oh, and all of these. socket.dev/npm/user/sct...
scttcper - Packages - Socket
Socket fights vulnerabilities and provides visibility, defense-in-depth, and proactive supply chain protection for JavaScript, Python, and Go dependencies.
socket.dev
September 15, 2025 at 10:36 PM
Oh, and all of these. socket.dev/npm/user/sct...
Reposted by Bryce Boe
These are likely all compromised as well: socket.dev/npm/user/far...
farfromrefuge - Packages - Socket
Socket fights vulnerabilities and provides visibility, defense-in-depth, and proactive supply chain protection for JavaScript, Python, and Go dependencies.
socket.dev
September 15, 2025 at 10:39 PM
These are likely all compromised as well: socket.dev/npm/user/far...
Reposted by Bryce Boe
Do not update to @ctrl/tinycolor@4.1.2. It has malware that is currently live on npm.
September 15, 2025 at 10:15 PM
Do not update to @ctrl/tinycolor@4.1.2. It has malware that is currently live on npm.
I'm excited to finally be on #bluesky. Now I need to curate my feeds.
July 13, 2023 at 12:47 AM
I'm excited to finally be on #bluesky. Now I need to curate my feeds.