A malicious update to @ctrl/tinycolor (2.2M weekly downloads) was detected on npm as part of a broader supply-chain attack that impacted more than 40 packages spanning multiple maintainers. The compromised versions include a function (NpmModule.updatePackage) that downloads a package tarball, modifies package.json, injects a local script (bundle.js), repacks the archive, and republishes it, enabling automatic trojanization of downstream packages.The issue was first noticed by Daniel dos Santos P...