CVE-2025-59162: 
JavaScript vulnerability analysis and mitigation

On September 8, 2025, the npm publishing account for color-convert was compromised through a phishing attack. The attacker published version 3.1.1, which was functionally identical to the previous patch version but contained a malicious payload designed to redirect cryptocurrency transactions to attacker-controlled addresses within browser environments (GitHub Advisory, Socket Blog).

The malicious version 3.1.1 contained obfuscated code that only activated in browser environments, leaving local environments, server environments, and command line applications unaffected. The malware specifically targeted cryptocurrency transactions and wallets like MetaMask, attempting to intercept and redirect funds to attacker-controlled addresses. The package receives approximately 193.5 million downloads per week, making this a significant supply chain attack (Socket Blog).

The vulnerability affects applications using color-convert in browser contexts, particularly through bundling tools like Babel, Rollup, Vite, and Next.js. The malware specifically targets cryptocurrency transactions, attempting to redirect funds to attacker-controlled wallets without user awareness. Given the package's widespread use with billions of weekly downloads, the potential impact is substantial (GitHub Advisory).

npm removed the malicious package from the registry on September 8, preventing further downloads. On September 13, the package owner published version 3.1.2 to help cache-bust private registries that might still have the compromised version. Users should update to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch. Those operating private registries should purge the offending versions from their caches (GitHub Advisory).

The incident was widely discussed in the security community, particularly due to its impact on the JavaScript ecosystem. The compromise was initially detected by Socket's security monitoring system and quickly reported across various security platforms. The incident highlighted the ongoing challenges of supply chain security in the npm ecosystem (Socket Blog, Aikido Blog).