The Web3 security firm HashDit stated on X, “Another NPM supply chain attack involving the package '@ctrl/tinycolor' has been identified, with malicious versions being distributed.” The package, which receives 2.2 million weekly downloads, has been compromised to execute unauthorized scripts. Users are advised to review their dependencies and ensure they are using secure versions to prevent potential security breaches.