PANews reported on September 16th that Scam Sniffer detected another attack targeting the NPM supply chain. @ctrl/tinycolor (downloaded 2.2 million times weekly) released a malicious version that runs an information stealer during npm's postinstall script to scan for and steal sensitive data. This malicious payload abuses the legitimate sensitive information scanning tool TruffleHog. Please check if you have downloaded the affected version, suspend installation/updates, and pin to a known safe version.