CVE-2025-59145: 
JavaScript 脆弱性の分析と軽減

On September 8, 2025, the npm package color-name (receiving approximately 191.71 million downloads per week) was compromised when its publishing account was taken over through a phishing attack. Version 2.0.1 was published containing malicious code that attempted to redirect cryptocurrency transactions to attacker-controlled addresses when used in browser environments (Socket Blog, GitHub Advisory).

The malicious version 2.0.1 was functionally identical to the previous patch version but included additional code that would execute in browser contexts. The malware specifically targeted cryptocurrency transactions and wallets like MetaMask, attempting to manipulate wallet interactions and rewrite payment destinations to redirect funds to attacker-controlled accounts. The vulnerability has been assigned CVE-2025-59145 with a CVSS v4.0 score of 8.8 (HIGH) (NVD, GitHub Advisory).

The malware only affects browser environments where the package is used directly or via bundling tools like Babel, Rollup, Vite, or Next.js. Local environments, server environments, and command line applications are not affected. The package's high download count of 191.71 million weekly downloads significantly amplifies the potential impact of this supply chain attack (Socket Blog).

npm removed the malicious package from the registry on September 8, preventing further downloads. On September 13, the package owner published version 2.0.2 as a clean update. Users should update to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch. Those operating private registries or registry mirrors should purge the compromised versions from their caches (GitHub Advisory).

The incident was part of a larger supply chain attack affecting multiple popular npm packages. The security community quickly responded with detailed analyses and alerts about the compromise. The attack garnered significant attention due to its sophisticated nature and the popularity of the targeted packages (Socket Blog, Aikido Blog).