CVE-2025-59144: 
JavaScript vulnerability analysis and mitigation

On September 8, 2025, the npm publishing account for debug was compromised through a phishing attack. The attacker published version 4.4.2, which was functionally identical to the previous patch version but contained malware designed to redirect cryptocurrency transactions to attacker-controlled addresses when used in browser environments. The vulnerability affects browser-based applications using the debug package, particularly those using direct inclusion or bundling tools like Babel, Rollup, Vite, and Next.js (GitHub Advisory, Socket Blog).

The malicious code was specifically designed to target browser environments while leaving local environments, server environments, and command line applications unaffected. The malware payload was obfuscated and focused on intercepting and redirecting cryptocurrency transactions, particularly targeting cryptocurrency wallets such as MetaMask. The vulnerability has been assigned CVE-2025-59144 and is classified under CWE-506 (Embedded Malicious Code) (GitHub Advisory).

The compromised package potentially affects any web application using debug version 4.4.2 in a browser context. The malware specifically targets cryptocurrency transactions, attempting to redirect funds to attacker-controlled addresses. With debug being a widely-used package receiving hundreds of millions of downloads per week, the potential impact is significant, particularly for applications handling cryptocurrency transactions (Socket Blog).

npm removed the malicious package from the registry on September 8, preventing further downloads. On September 13, the package owner published version 4.4.3 to help cache-bust private registries that might still have the compromised version cached. Users should upgrade to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch. Organizations operating private registries or registry mirrors should purge the offending versions from their caches (GitHub Advisory).

The security community responded quickly to the incident, with multiple security firms and researchers publishing analyses and alerts. The compromise was particularly notable as it affected a highly popular npm package maintained by a prolific contributor, highlighting the ongoing risks of supply chain attacks in the JavaScript ecosystem (Socket Blog, Aikido Blog).