Back to directory

WRITEUP #6615

First Week, First Hack: Compromising a Package with 40 Million Weekly Downloads

Web SecurityRCESupply Chain Attack

byGarance de la Brosse

Program

Self-managed

Published

Apr 2, 2026

Added to HackDex

Apr 2, 2026

Read Full Writeuphttps://www.landh.tech/blog/20260402-img-colour-supply-chain-hack/

▸ RELATED WRITEUPS

Vulnerabilities in Open Source C2 Frameworks

RCEOS command injection

[2,500$ Bug Bounty Write-Up] Remote Code Execution (RCE) via unclaimed Node package

RCEDependency confusion

Attacking PowerShell CLIXML Deserialization

DeserializationInsecure deserialization

Zero-Click Calendar invite — Critical zero-click vulnerability chain in macOS

RCEArbitrary file write

We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI

Built with ❤️ by Shubham Rawat