CVE-2025-59162: 
JavaScript vulnerability analysis and mitigation

CVE-2025-59162 affects the color-convert npm package, discovered on September 8, 2025. The vulnerability emerged when the npm publishing account for color-convert was compromised through a phishing attack. Version 3.1.1 was published containing malicious code that attempts to redirect cryptocurrency transactions to attacker-controlled addresses within browser environments (GitHub Advisory).

The malicious version 3.1.1 was functionally identical to the previous patch version but included a malware payload specifically targeting browser environments. The malware only activates in browser contexts, whether through direct inclusion or via bundling tools like Babel, Rollup, Vite, or Next.js. The payload is designed to intercept and manipulate cryptocurrency transactions, particularly targeting cryptocurrency wallets such as MetaMask (Socket Blog).

The compromised package receives approximately 193.5 million downloads per week, making this a significant supply chain attack. The malware specifically targets cryptocurrency transactions in browser environments, attempting to redirect funds to attacker-controlled addresses. Local environments, server environments, and command line applications are not affected by this vulnerability (Socket Blog).

npm removed the malicious package version from the registry on September 8, preventing further downloads. On September 13, the package owner published version 3.1.2 to help cache-bust private registries that might still have the compromised version cached. Users should update to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch. Those operating private registries or registry mirrors should purge the offending versions from any caches (GitHub Advisory).

The incident has been widely discussed in the security community, with multiple security firms and researchers analyzing and reporting on the compromise. The attack was particularly notable as it targeted a popular package with billions of weekly downloads, demonstrating the potential impact of supply chain attacks in the npm ecosystem (Socket Blog, Debug Issue).