CVE-2025-59330: 
JavaScript vulnerability analysis and mitigation

On September 8, 2025, the npm package error-ex version 1.3.3 was compromised after a phishing attack targeting the maintainer's publishing account. The package, which allows error subclassing and stack customization, was modified to include malicious code while maintaining identical functionality to the previous patch version (GitHub Advisory).

The malicious version 1.3.3 contained a payload that attempted to redirect cryptocurrency transactions to attacker-controlled addresses specifically within browser environments. The attack only targeted browser contexts where the package was used either through direct inclusion or via bundling tools like Babel, Rollup, Vite, and Next.js. Local environments, server environments, and command line applications were not affected. The malware specifically targeted cryptocurrency transactions and wallets such as MetaMask (Socket Blog).

The compromised package error-ex receives approximately 47.17 million downloads per week, making this a significant supply chain attack. The malware specifically impacted users who integrated the package in browser environments, potentially compromising cryptocurrency transactions by redirecting them to attacker-controlled addresses (Aikido Blog).

npm removed the malicious package from the registry on September 8, preventing further downloads. On September 13, the package owner published version 1.3.4 to help cache-bust private registries that might still have the compromised version cached. Users should update to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch. Those operating private registries or registry mirrors should purge the offending versions from their caches (GitHub Advisory).

The incident was widely discussed in the security community, with multiple security firms and researchers publishing detailed analyses. The attack was part of a larger campaign that affected several popular npm packages, drawing significant attention to the ongoing challenges of supply chain security in the npm ecosystem (Debug Issue).