CVE-2025-59140: 
JavaScript vulnerability analysis and mitigation

On September 8, 2025, the npm publishing account for backslash was compromised through a phishing attack. The attacker published version 0.2.1, which was functionally identical to the previous patch version but contained a malicious payload designed to redirect cryptocurrency transactions to attacker-controlled addresses within browser environments (GitHub Advisory, Socket Blog).

The malicious version 0.2.1 contained code that would execute in browser contexts only, targeting cryptocurrency transactions and wallets like MetaMask. The malware was designed to intercept and manipulate wallet interactions, specifically rewriting payment destinations to redirect funds to attacker-controlled accounts. Local environments, server environments, and command line applications were not affected by this exploit (GitHub Advisory, Aikido Blog).

The compromised package backslash receives approximately 260,000 downloads per week. The vulnerability only affects applications using the package in a browser context, such as through direct inclusion or via bundling tools like Babel, Rollup, Vite, and Next.js. The malware specifically targets cryptocurrency transactions, attempting to redirect funds to attacker-controlled wallets (Socket Blog).

npm removed the malicious package version from the registry on September 8, preventing further downloads. On September 13, the package owner published version 0.2.2 to help cache-bust private registries that might still have the compromised version cached. Users should upgrade to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch. Those operating private registries or registry mirrors should purge the offending versions from any caches (GitHub Advisory).

The incident was widely reported across the security community, with multiple security firms and researchers analyzing and documenting the attack. The compromise was part of a larger supply chain attack that affected multiple popular npm packages, drawing significant attention to the ongoing challenges of supply chain security in the npm ecosystem (Socket Blog, Aikido Blog).