CVE-2025-59144: 
JavaScript vulnerability analysis and mitigation

On September 8, 2025, the npm publishing account for debug was compromised through a phishing attack. The attacker published version 4.4.2 of the debug package, which contained malicious code designed to redirect cryptocurrency transactions to attacker-controlled addresses in browser environments. The package receives approximately 357.6 million downloads per week, making this a significant supply chain security incident (GitHub Advisory, Socket Blog).

The malicious version 4.4.2 was functionally identical to the previous patch version but included additional code that would execute in browser environments. The malware specifically targeted cryptocurrency transactions and wallets like MetaMask, attempting to redirect funds to attacker-controlled addresses. The attack only affected browser contexts, whether through direct inclusion or via bundling tools such as Babel, Rollup, Vite, and Next.js. Local environments, server environments, and command line applications were not impacted. The vulnerability has been assigned a CVSS v4.0 score of 8.8 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red (GitHub Advisory).

The compromised package potentially affected any web application using the debug package version 4.4.2 in a browser context. Given the package's popularity with 357.6 million weekly downloads, the potential impact was significant. The malware specifically targeted cryptocurrency transactions, attempting to redirect funds to attacker-controlled wallets without any obvious signs to users (Socket Blog).

npm removed the malicious package from the registry on September 8, preventing further downloads. On September 13, the package owner published version 4.4.3 to help cache-bust private registries that might still have the compromised version cached. Users should upgrade to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch. Organizations operating private registries or registry mirrors should purge the offending versions from their caches (GitHub Advisory).

The security community quickly responded to the incident, with multiple security firms and researchers publishing analyses and alerts. The incident highlighted the ongoing risks of supply chain attacks in the npm ecosystem and the effectiveness of sophisticated phishing attacks, even against experienced maintainers (Socket Blog, Aikido Blog).