CVE-2025-59140: CWE-506: Embedded Malicious Code in Qix- node-backslash
backlash parses collected strings with escapes. On 8 September 2025, the npm publishing account for backslash was taken over after a phishing attack. Version 0.2.1 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct <script> inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt. The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. npm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper. On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. Users should upgrade to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch. Those operating private registries or registry mirrors should purge the offending versions from any caches. This issues is resolved in 0.2.2.
AI Analysis
Technical Summary
CVE-2025-59140 is a high-severity supply chain vulnerability affecting the npm package 'node-backslash' maintained by the Qix- project. The vulnerability arises from a malicious code injection in version 0.2.1 of the package, which was published after the npm publishing account was compromised via a phishing attack on September 8, 2025. The malicious payload embedded in this version targets browser environments specifically, attempting to intercept and redirect cryptocurrency transactions to attacker-controlled addresses. This attack vector exploits the package's use in client-side JavaScript contexts, such as direct script inclusion or through bundling tools like Babel, Rollup, Vite, or Next.js. Importantly, server-side, local, or command-line environments using this package are not affected. The malware focuses on cryptocurrency wallets such as MetaMask, aiming to hijack transaction flows within the browser. The compromised package was promptly removed from the npm registry on the same day, and subsequent patch version 0.2.2 was released on September 13 to remediate the issue and assist users in cache busting. The CVSS 4.0 score of 8.8 reflects the high impact and ease of exploitation without authentication or user interaction, with a significant impact on the integrity of cryptocurrency transactions. Organizations using this package in browser contexts must ensure they upgrade to the fixed version, clear caches, remove node_modules directories, and rebuild all browser bundles to eliminate the malicious code. Private registries and mirrors must also purge cached compromised versions to prevent further exposure.
Potential Impact
For European organizations, the impact of this vulnerability is significant, especially for those involved in cryptocurrency transactions or developing web applications that integrate cryptocurrency wallet interactions within browsers. The malicious code compromises transaction integrity by redirecting funds to attacker-controlled wallets, potentially leading to direct financial losses. Since the attack targets client-side environments, any web application or service that bundles the compromised package for browser use is at risk. This could affect fintech companies, cryptocurrency exchanges, blockchain service providers, and any enterprise offering browser-based crypto wallet integrations. The reputational damage and regulatory implications under GDPR and other European data protection laws could be severe if customer funds are stolen or if the breach leads to data exposure. Additionally, organizations relying on private npm registries or mirrors may unknowingly continue to distribute the compromised package, extending the threat's reach. The swift removal of the package from the public npm registry mitigates further spread, but the persistence of cached versions in private environments remains a concern.
Mitigation Recommendations
1. Immediately upgrade all instances of node-backslash to version 0.2.2 or later. 2. Completely remove the node_modules directory and any lock files (package-lock.json or yarn.lock) to ensure no residual compromised code remains. 3. Clear all package manager caches globally (npm cache clean --force) and locally, including private registries and mirrors, to prevent inadvertent reinstallation of the malicious version. 4. Rebuild all browser bundles from scratch using clean environments to eliminate embedded malicious payloads. 5. Audit all web applications and browser-based tools that use node-backslash, especially those handling cryptocurrency wallets or transactions, to verify no malicious code persists. 6. Monitor network traffic for suspicious redirection attempts or unauthorized cryptocurrency transactions. 7. Educate development and DevOps teams about phishing risks to prevent future account compromises. 8. Implement strict access controls and multi-factor authentication on npm publishing accounts and private registries. 9. Employ supply chain security tools that verify package integrity and provenance before deployment. 10. For organizations running private npm registries or mirrors, purge all cached versions of node-backslash 0.2.1 and enforce policies to prevent use of compromised versions.
Affected Countries
Germany, United Kingdom, France, Netherlands, Switzerland, Sweden, Estonia
CVE-2025-59140: CWE-506: Embedded Malicious Code in Qix- node-backslash
Description
backlash parses collected strings with escapes. On 8 September 2025, the npm publishing account for backslash was taken over after a phishing attack. Version 0.2.1 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct <script> inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt. The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. npm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper. On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. Users should upgrade to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch. Those operating private registries or registry mirrors should purge the offending versions from any caches. This issues is resolved in 0.2.2.
AI-Powered Analysis
Technical Analysis
CVE-2025-59140 is a high-severity supply chain vulnerability affecting the npm package 'node-backslash' maintained by the Qix- project. The vulnerability arises from a malicious code injection in version 0.2.1 of the package, which was published after the npm publishing account was compromised via a phishing attack on September 8, 2025. The malicious payload embedded in this version targets browser environments specifically, attempting to intercept and redirect cryptocurrency transactions to attacker-controlled addresses. This attack vector exploits the package's use in client-side JavaScript contexts, such as direct script inclusion or through bundling tools like Babel, Rollup, Vite, or Next.js. Importantly, server-side, local, or command-line environments using this package are not affected. The malware focuses on cryptocurrency wallets such as MetaMask, aiming to hijack transaction flows within the browser. The compromised package was promptly removed from the npm registry on the same day, and subsequent patch version 0.2.2 was released on September 13 to remediate the issue and assist users in cache busting. The CVSS 4.0 score of 8.8 reflects the high impact and ease of exploitation without authentication or user interaction, with a significant impact on the integrity of cryptocurrency transactions. Organizations using this package in browser contexts must ensure they upgrade to the fixed version, clear caches, remove node_modules directories, and rebuild all browser bundles to eliminate the malicious code. Private registries and mirrors must also purge cached compromised versions to prevent further exposure.
Potential Impact
For European organizations, the impact of this vulnerability is significant, especially for those involved in cryptocurrency transactions or developing web applications that integrate cryptocurrency wallet interactions within browsers. The malicious code compromises transaction integrity by redirecting funds to attacker-controlled wallets, potentially leading to direct financial losses. Since the attack targets client-side environments, any web application or service that bundles the compromised package for browser use is at risk. This could affect fintech companies, cryptocurrency exchanges, blockchain service providers, and any enterprise offering browser-based crypto wallet integrations. The reputational damage and regulatory implications under GDPR and other European data protection laws could be severe if customer funds are stolen or if the breach leads to data exposure. Additionally, organizations relying on private npm registries or mirrors may unknowingly continue to distribute the compromised package, extending the threat's reach. The swift removal of the package from the public npm registry mitigates further spread, but the persistence of cached versions in private environments remains a concern.
Mitigation Recommendations
1. Immediately upgrade all instances of node-backslash to version 0.2.2 or later. 2. Completely remove the node_modules directory and any lock files (package-lock.json or yarn.lock) to ensure no residual compromised code remains. 3. Clear all package manager caches globally (npm cache clean --force) and locally, including private registries and mirrors, to prevent inadvertent reinstallation of the malicious version. 4. Rebuild all browser bundles from scratch using clean environments to eliminate embedded malicious payloads. 5. Audit all web applications and browser-based tools that use node-backslash, especially those handling cryptocurrency wallets or transactions, to verify no malicious code persists. 6. Monitor network traffic for suspicious redirection attempts or unauthorized cryptocurrency transactions. 7. Educate development and DevOps teams about phishing risks to prevent future account compromises. 8. Implement strict access controls and multi-factor authentication on npm publishing accounts and private registries. 9. Employ supply chain security tools that verify package integrity and provenance before deployment. 10. For organizations running private npm registries or mirrors, purge all cached versions of node-backslash 0.2.1 and enforce policies to prevent use of compromised versions.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-09-09T15:23:16.326Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68c866d82e2c3e5d6abeeda7
Added to database: 9/15/2025, 7:19:52 PM
Last enriched: 9/23/2025, 1:06:17 AM
Last updated: 11/3/2025, 10:20:54 PM
Views: 26
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2024-4032: Vulnerability in Python Software Foundation CPython
HighCVE-2024-40867: A remote attacker may be able to break out of Web Content sandbox in Apple iOS and iPadOS
HighCVE-2024-40866: Visiting a malicious website may lead to address bar spoofing in Apple macOS
MediumCVE-2024-40855: A sandboxed app may be able to access sensitive user data in Apple macOS
MediumCVE-2024-40851: An attacker with physical access may be able to access contact photos from the lock screen in Apple iOS and iPadOS
LowActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.