Wiz Agents & Workflows are here
Wiz
Vulnerability DatabaseCVE-2025-59145

CVE-2025-59145
JavaScript vulnerability analysis and mitigation

Overview

On September 8, 2025, the npm package color-name was compromised when an attacker gained access to the maintainer's publishing account through a phishing attack. Version 2.0.1 was published containing malware that attempts to redirect cryptocurrency transactions to attacker-controlled addresses when used in browser environments (GitHub Advisory, Socket Blog).

Technical details

The malicious version 2.0.1 was functionally identical to the previous patch version but included an obfuscated malware payload. The malware only activates in browser environments and targets cryptocurrency transactions, specifically attempting to intercept and redirect payments to attacker-controlled wallets. The package has a CVSS v4.0 score of 8.8 (HIGH) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red (GitHub Advisory).

Impact

The compromised package primarily affects browser-based applications using color-name, particularly those handling cryptocurrency transactions. Local environments, server environments, and command line applications are not affected. The package receives approximately 191.71 million downloads per week, creating a significant potential impact surface (Socket Blog).

Mitigation and workarounds

npm removed the malicious package from the registry on September 8, preventing further downloads. On September 13, the package owner published version 2.0.2 to help cache-bust private registries that might still have the compromised version. Users should update to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch. Those operating private registries should purge the offending versions from their caches (GitHub Advisory).

Community reactions

The incident was part of a larger supply chain attack affecting multiple popular npm packages maintained by the same author. The attack was discovered and reported by several security firms and researchers, highlighting the ongoing challenges of supply chain security in the npm ecosystem (Socket Blog).

Additional resources

SourceThis report was generated using AI

Related JavaScript vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2026-34156CRITICAL9.9
  • JavaScriptJavaScript
  • @nocobase/plugin-workflow-javascript
NoYesMar 30, 2026
CVE-2026-34363HIGH8.2
  • JavaScriptJavaScript
  • parse-server
NoYesMar 30, 2026
CVE-2026-33949HIGH8.1
  • JavaScriptJavaScript
  • @tinacms/graphql
NoYesMar 30, 2026
CVE-2026-34043MEDIUM5.9
  • JavaScriptJavaScript
  • serialize-javascript
NoYesMar 31, 2026
CVE-2026-34373MEDIUM5.3
  • JavaScriptJavaScript
  • parse-server
NoYesMar 30, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo