CVE-2025-59141 is a high-severity supply chain vulnerability affecting the npm package 'node-simple-swizzle' maintained by the Qix- project. The package is designed to swizzle function arguments, primarily used in JavaScript environments. On September 8, 2025, attackers successfully phished the npm publishing account of the package maintainer and published version 0.2.3 containing a malicious payload. This payload is functionally identical to the previous version but includes embedded malware targeting cryptocurrency transactions within browser environments. Specifically, the malware attempts to intercept and redirect cryptocurrency transactions, such as those involving MetaMask wallets, to attacker-controlled addresses. Importantly, the malicious code activates only in browser contexts—such as when the package is included directly via <script> tags or bundled using tools like Babel, Rollup, Vite, or Next.js. Server-side, local, or command-line uses of the package are not affected. The npm registry removed the compromised version on the same day to prevent further downloads. On September 13, the package owner released version 0.2.4 to remediate the issue and assist users in cache-busting. Users are advised to update to 0.2.4, delete their node_modules directories, clear package manager caches, and rebuild all browser bundles from scratch. Private registries and mirrors should also purge cached compromised versions. The vulnerability is classified under CWE-506 (Embedded Malicious Code), highlighting the risk of supply chain compromise through malicious code injection in trusted dependencies. The CVSS 4.0 score is 8.8 (high), reflecting the network attack vector, no required privileges or user interaction, and significant impact on confidentiality and integrity of cryptocurrency assets in browser environments.

European organizations using 'node-simple-swizzle' in browser-based JavaScript applications that handle or interact with cryptocurrency wallets are at risk of financial theft through transaction redirection. This threat primarily impacts web applications that bundle this package for client-side execution, potentially affecting fintech companies, cryptocurrency exchanges, blockchain startups, and any enterprise integrating crypto payment or wallet functionalities in their web platforms. The compromise could lead to direct financial losses, erosion of customer trust, and reputational damage. Since the malware does not affect server-side or local environments, backend systems remain secure from this specific threat vector. However, organizations relying on continuous integration and deployment pipelines that bundle front-end code must ensure that compromised versions are not propagated to production. The supply chain nature of this attack underscores the risk of indirect compromise through trusted dependencies, emphasizing the need for rigorous software supply chain security practices. Additionally, organizations operating private npm registries or mirrors in Europe must proactively purge cached malicious versions to prevent inadvertent distribution. The incident also highlights the importance of securing developer accounts against phishing to prevent similar future compromises.

1. Immediately update 'node-simple-swizzle' to version 0.2.4 or later to obtain the patched, clean version. 2. Completely remove the node_modules directory and clear all package manager caches (npm, yarn, pnpm) to eliminate cached compromised packages. 3. Rebuild all browser bundles from scratch, ensuring that bundlers like Babel, Rollup, Vite, or Next.js do not include the malicious code. 4. Audit all front-end projects to identify any usage of 'node-simple-swizzle' in browser contexts and verify that no compromised versions remain in production. 5. For organizations using private npm registries or mirrors, purge all cached instances of version 0.2.3 to prevent accidental distribution. 6. Implement multi-factor authentication (MFA) and phishing-resistant security measures on all developer and maintainer accounts to prevent future account takeovers. 7. Integrate software supply chain security tools such as Snyk, Dependabot, or GitHub Dependabot alerts to detect and respond rapidly to compromised dependencies. 8. Educate development teams on the risks of supply chain attacks and enforce strict code review and dependency vetting processes. 9. Monitor blockchain transactions associated with organizational wallets for unusual redirections or anomalies. 10. Consider isolating cryptocurrency wallet interactions to dedicated, hardened environments to reduce exposure.