Latest NPM Package Compromise Using Secret Scanning Tools to Steal Credentials

A few dozen new npm packages were compromised today including ctrl/tinycolor, react-jsonschema, ngx-toastr, nativescript-community, etc. What's interesting about this round of supply chain attack is that the compromised packages were using a secret scanning security tool as a post install hook to gather credentials from the local filesystem and then calling a webhook endpoint to exfiltrate the data. submitted by /u/j12y [link] [comments]