[NPM Supply Chain Hit by Malicious Attack, @ctrl/tinycolor Releases Data-Stealing Version] Scam Sniffer has discovered that the NPM supply chain has once again been targeted by an attack. The popular library @ctrl/tinycolor (with 2.2 million weekly downloads) was released with a malicious version. This version executes a data-stealing program during the npm postinstall script, leveraging the legitimate tool TruffleHog to scan and steal sensitive data. Users are advised to immediately check if they have downloaded the affected version, suspend related installation or update operations, and lock the version to a known safe version to prevent data leakage risks.