Popular Tinycolor npm Package Compromised in Supply Chain Attack Affecting 40+ Packages

Malicious update to @ctrl/tinycolor on npm is part of a supply-chain attack hitting 40+ packages across maintainers

https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages

Compromised Packages and Versions

The following npm packages and versions have been confirmed as affected:

angulartics2@14.1.2
@ctrl/deluge@7.2.2
@ctrl/golang-template@1.4.3
@ctrl/magnet-link@4.0.4
@ctrl/ngx-codemirror@7.0.2
@ctrl/ngx-csv@6.0.2
@ctrl/ngx-emoji-mart@9.2.2
@ctrl/ngx-rightclick@4.0.2
@ctrl/qbittorrent@9.7.2
@ctrl/react-adsense@2.0.2
@ctrl/shared-torrent@6.3.2
@ctrl/tinycolor@4.1.1, @4.1.2
@ctrl/torrent-file@4.1.2
@ctrl/transmission@7.3.1
@ctrl/ts-base32@4.0.2
encounter-playground@0.0.5
json-rules-engine-simplified@0.2.4, 0.2.1
koa2-swagger-ui@5.11.2, 5.11.1
@nativenoscript-community/gesturehandler@2.0.35
@nativenoscript-community/sentry 4.6.43
@nativenoscript-community/text@1.6.13
@nativenoscript-community/ui-collectionview@6.0.6
@nativenoscript-community/ui-drawer@0.1.30
@nativenoscript-community/ui-image@4.5.6
@nativenoscript-community/ui-material-bottomsheet@7.2.72
@nativenoscript-community/ui-material-core@7.2.76
@nativenoscript-community/ui-material-core-tabs@7.2.76
ngx-color@10.0.2
ngx-toastr@19.0.2
ngx-trend@8.0.1
react-complaint-image@0.0.35
react-jsonschema-form-conditionals@0.3.21
react-jsonschema-form-extras@1.0.4
rxnt-authentication@0.0.6
rxnt-healthchecks-nestjs@1.0.5
rxnt-kue@1.0.7
swc-plugin-component-annotate@1.9.2
ts-gaussian@3.0.6

‼️ Ongoing Supply Chain Attack Targets CrowdStrike npm Packages ‼️

Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Halud" supply chain attack that previously hit Tinycolor and 40+ other packages.

https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages

#security

https://youtrack.jetbrains.com/articles/WEB-A-233538660/WebStorm-2025.2.2-252.26199.162-build-Release-Notes?utm_source=product&utm_medium=link&utm_campaign=TBA


hope this release can fix freeeeezim my webstorm on new macos.... rrrr....

UPDATE:
it's work! ) ❤️

Top 10 Mistakes Angular Developers Make (and How to Avoid Them)

1. Keeping Too Much Logic in Components
2. Ignoring Change Detection Strategy
3. Overusing Input() and Output()
4. Not Unsubscribing from Observables
5. Mixing Template Logic with HTML
6. Not Using Lazy Loading for Modules
7. Ignoring Angular CLI and Schematics
8. Neglecting Error Handling in HTTP Calls
9. Not Using TrackBy in ngFor
10. Skipping Testing

Is it relevant on 2025?! YES!!!

Please don't skip "best practices" and add this into your style/code-guidelines!

Still like "git rebase" instead of "git merge"? 😂

What, is even old GDE looking jobs!? Maybe IT bubble already finished

Also… Oktoberfest is in past… time to work until Christmas 🎄 😂

Tag your friends! 😢🫶

‼️FYI: npm security changes - Phase 1 starting October 13 ‼️

Important security changes are coming to npm that may affect your packages and workflows. This is the first phase of our comprehensive security improvements.

Phase 1 changes:
• October 13: New granular tokens limited to 90-day maximum lifetime (7-day default)
• October 13: New TOTP 2FA configurations disabled (existing TOTP still works)
• Early November: All classic tokens will be permanently revoked

**Action required:**
If you use classic tokens in any automation, CI/CD pipelines, or local development, you must migrate to granular access tokens before early November to avoid publishing disruptions.

**More changes ahead:**
This is the first of several security updates. Additional phases will follow in the coming months, including further 2FA improvements and expanded trusted publisher support. We'll communicate each phase in advance.

**Why we're making these changes:**
Recent supply chain attacks have shown that compromised long-lived tokens are a critical vulnerability. These phased changes are essential to protect the npm ecosystem and your packages from malicious actors.

**Get full details and migration guidance:**
https://gh.io/npm-token-changes