Security Advisory | NPM Packages Using Secret Scanning Tools to Steal Credentials

A recent security breach has compromised over 187 npm packages using a self-replicating worm that steals credentials such as AWS keys and GitHub tokens, exfiltrating them to unauthorized endpoints. The breach, which includes widely used packages like @ctrl/tinycolor, affects multiple namespaces and behaves like a worm by scanning hosts for secrets and updating packages to spread the malware. This attack has resulted in private repositories being exposed as public, and security measures are being updated to mitigate the impact. The Semgrep Supply Chain has released rules to help detect vulnerable versions, and affected users are advised to upgrade or downgrade to safe versions of dependencies. Security advisories are being updated as new information becomes available, and users are encouraged to review security logs, rotate compromised credentials, and remove malicious packages to protect their systems.