Zero-day in popular npm package affects 12M downloads
A critical vulnerability in a widely-used utility library went unpatched for three months. The supply chain problem is getting worse.
Security researchers have disclosed a critical zero-day vulnerability in colors.js, a popular npm package with over 12 million weekly downloads. The vulnerability allows arbitrary code execution through crafted input strings.
Timeline
The vulnerability was introduced in version 1.6.0, released three months ago. It went undetected because the malicious code was obfuscated within a legitimate-looking dependency update. The package has since been patched in version 1.6.1.
What to do
If your project depends on colors.js, update immediately. Run npm audit to check for the vulnerability and review your lock file for any unexpected dependency changes.
This incident is the latest in a growing pattern of supply chain attacks targeting the npm ecosystem. Organizations should seriously consider implementing dependency review processes and using tools like Socket.dev to detect suspicious package behavior.
Dev Tools Editor
Developer tools editor and open source advocate. Writes about frameworks, languages, and the culture of building software. Contributor to several popular OSS projects.
Liked this? You will love the briefing.
One email. Every morning. The tech that matters.