Supply Chain Attack Compromises @ctrl/tinycolor npm Package, Affects 40+ Packages

Summary

A malicious update to the popular npm package @ctrl/tinycolor (2.2M weekly downloads) was detected as part of a broader supply chain attack impacting over 40 packages across multiple maintainers. The compromised versions contain a function (NpmModule.updatePackage) that downloads a package tarball, indicating a coordinated software supply chain compromise targeting the npm ecosystem.