CVE-2025-59331: 
JavaScript 脆弱性の分析と軽減

On September 8, 2025, the npm publishing account for is-arrayish was compromised through a phishing attack. The attacker published version 0.3.3, which was functionally identical to the previous patch version but contained a malicious payload designed to redirect cryptocurrency transactions to attacker-controlled addresses from within browser environments (GitHub Advisory, Aikido Blog).

The malicious version 0.3.3 contained obfuscated code that would execute in browser environments, targeting cryptocurrency and web3 activity. The malware specifically intercepted crypto transactions and manipulated wallet interactions to redirect funds and approvals to attacker-controlled accounts without obvious signs to the user. Local environments, server environments, and command line applications were not affected. The vulnerability has been assigned a CVSS v4.0 score of 8.8 (HIGH) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red (GitHub Advisory).

The compromised package primarily affected browser-based applications using the package either directly or through bundling tools like Babel, Rollup, Vite, and Next.js. The malware specifically targeted cryptocurrency transactions and wallets such as MetaMask, attempting to redirect funds to attacker-controlled addresses (GitHub Advisory, Socket Blog).

npm removed the malicious package (version 0.3.3) from the registry on September 8, preventing further downloads. On September 13, the package owner published version 0.3.4 to help cache-bust private registries that might still have the compromised version cached. Users should update to version 0.3.4, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch. Those operating private registries or registry mirrors should purge the offending versions from any caches (GitHub Advisory).

The incident was widely reported across the security community, with multiple security firms and researchers publishing analyses. The compromise was part of a larger supply chain attack affecting multiple popular npm packages, drawing significant attention to the ongoing challenges of securing package management systems (Socket Blog, Aikido Blog).