CVE-2025-59330: 
JavaScript vulnerability analysis and mitigation

On September 8, 2025, the npm publishing account for error-ex was compromised through a phishing attack. Version 1.3.3 was published containing malware that attempted to redirect cryptocurrency transactions to attacker-controlled addresses when used in browser environments. The package error-ex, which allows error subclassing and stack customization, receives approximately 47 million downloads per week (Socket Blog).

The malicious version 1.3.3 was functionally identical to the previous patch version but included an obfuscated malware payload. The malware only activates in browser environments and targets cryptocurrency transactions and wallets like MetaMask. It does not affect local environments, server environments, or command line applications. The vulnerability has been assigned a CVSS v4.0 score of 8.8 HIGH with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red (NVD).

The malware attempts to intercept and redirect cryptocurrency transactions to attacker-controlled wallets without any obvious signs to the user. This affects any applications that use the compromised package version in a browser context, whether through direct inclusion or via bundling tools like Babel, Rollup, Vite, or Next.js (GitHub Advisory).

npm removed the malicious package from the registry on September 8, preventing further downloads. On September 13, the package owner published version 1.3.4 to help cache-bust private registries that might still have the compromised version. Users should update to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch. Those operating private registries should purge the compromised version 1.3.3 from their caches (GitHub Advisory).

The incident was part of a larger supply chain attack that affected multiple popular npm packages maintained by the same author. The security community tracked and responded to the incident through various channels, including GitHub issues and security advisories. The compromised packages collectively receive billions of downloads per week, highlighting the potential impact of such supply chain attacks (Socket Blog).