CVE-2025-59039: 
JavaScript vulnerability analysis and mitigation

CVE-2025-59039 affects Prebid Universal Creative (PUC), a JavaScript API used for rendering multiple formats. The vulnerability was discovered and disclosed on September 9, 2025, impacting PUC version 1.17.3 and users pointing to the 'latest' version. The issue involved crypto-related malware that was briefly distributed through npm, including through the popular jsdelivr hosting service (GitHub Advisory).

The vulnerability resulted from a successful account takeover of a developer's npm account, which allowed the attacker to publish malicious versions of the package. The compromised version (1.17.3) contained a backdoor specifically designed for cryptocurrency theft. The vulnerability has been assigned a CVSS 4.0 Base Score of 9.3 CRITICAL with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (GitHub Advisory).

The attack was part of a larger supply chain compromise affecting multiple popular npm packages, collectively receiving more than 2 billion downloads every week. The malicious code was designed to steal cryptocurrency and potentially other secrets. The compromise could lead to theft of API keys, tokens, sensitive credentials, and establishment of persistent backdoors for future attacks (Sonatype Blog).

The maintainers have unpublished version 1.17.3 from npm. Users are advised to transition to version 1.17.2 immediately if they are pointing to the 'latest' version. Additionally, users should review the Prebid.js 9 release notes for guidance on moving away from the deprecated workflow of using the PUC or pointing to a dynamic version (GitHub Advisory).