Another NPM supply chain attack has occurred! The package @ctrl/tinycolor, which has 2.2 million weekly downloads, released malicious versions that execute an infostealer during the npm postinstall process to search for and exfiltrate sensitive information. The malicious payload exploits TruffleHog, a legitimate secret scanning tool. Make sure to verify if you've installed the affected versions, halt any ongoing installations or updates, and revert to known safe releases.(Vladimir S. | Officer's Notes)