Another attack on the NPM supply chain: @ctrl/tinycolor releases a malicious version

Scam Sniffer has detected another attack targeting the NPM supply chain. @ctrl/tinycolor (downloaded 2.2 million times weekly) has released a malicious version that runs an information stealer during npm's postinstall script to scan for and steal sensitive data. This malicious payload abuses TruffleHog, a legitimate sensitive information scanning tool. Please check if you have downloaded the affected version, suspend installation/updates, and pin to a known-safe version.