CVE-2025-59141: CWE-506: Embedded Malicious Code in Qix- node-simple-swizzle
simple-swizzle swizzles function arguments. On 8 September 2025, the npm publishing account for simple-swizzle was taken over after a phishing attack. Version 0.2.3 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct <script> inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt. The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. npm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper. On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. Users should update to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch. Those operating private registries or registry mirrors should purge the offending versions from any caches. This issue is resolved in 0.2.4.
AI Analysis
Technical Summary
CVE-2025-59141 is a high-severity supply chain vulnerability affecting the npm package 'node-simple-swizzle' maintained by the Qix- project. The package is designed to swizzle function arguments, a utility commonly used in JavaScript development. On September 8, 2025, the npm publishing account for simple-swizzle was compromised via a phishing attack, allowing an attacker to publish version 0.2.3 containing malicious code. This malicious payload was embedded to specifically target cryptocurrency transactions within browser environments by attempting to redirect funds to attacker-controlled addresses. The malware activates only in browser contexts where the package is bundled or included directly in client-side code, such as through bundlers like Babel, Rollup, Vite, or frameworks like Next.js. Server-side, local, or command-line uses of the package are unaffected. The malicious code focuses on wallets such as MetaMask, intercepting transaction data to divert cryptocurrency payments. The compromised version was quickly removed from the npm registry on the same day, and a clean patch version 0.2.4 was released on September 13, 2025, to remediate the issue and bust caches. However, users who have cached or bundled the compromised version in browser applications remain at risk until they update, clear caches, delete node_modules directories, and rebuild their bundles. Private registries and mirrors must also purge the malicious version to prevent further exposure. The CVSS 4.0 score of 8.8 reflects the network attack vector, no required privileges or user interaction, and a high impact on integrity due to the redirection of cryptocurrency transactions. No known exploits in the wild have been reported yet, but the nature of the attack poses significant risk to users relying on this package in browser-based crypto applications.
Potential Impact
For European organizations, the impact of this vulnerability is particularly critical in sectors dealing with cryptocurrency transactions, fintech, and blockchain-based services that use JavaScript front-end code incorporating node-simple-swizzle. The malicious code can lead to direct financial losses by redirecting cryptocurrency payments, undermining trust in affected applications and causing reputational damage. Organizations relying on browser-based wallets like MetaMask integrated into their web applications are at risk of silent theft of funds. Additionally, the supply chain compromise highlights risks in software dependency management, potentially affecting development pipelines and deployment processes. Given the widespread use of npm packages in European software development, any organization that bundles this package into browser-facing applications could inadvertently expose end users to theft. The incident also stresses the importance of securing developer accounts and supply chain integrity. While server-side applications are not affected, the risk to client-side environments means that web applications targeting European users who engage in cryptocurrency transactions are vulnerable. This could impact financial institutions, crypto exchanges, and startups in the blockchain space across Europe.
Mitigation Recommendations
European organizations should immediately verify if node-simple-swizzle version 0.2.3 is present in any browser-targeted bundles. Steps include: 1) Upgrading to version 0.2.4 or later to ensure the malicious code is removed. 2) Completely deleting the node_modules directory to remove cached compromised packages. 3) Cleaning all package manager caches (npm, yarn, pnpm) to prevent reinstallation of the malicious version. 4) Rebuilding all browser bundles from scratch to eliminate embedded malware. 5) For organizations using private npm registries or mirrors, purge all cached copies of version 0.2.3 to prevent internal propagation. 6) Conducting audits of front-end codebases and dependency trees to identify any indirect dependencies on node-simple-swizzle. 7) Enhancing developer account security by enforcing multi-factor authentication and phishing awareness training to prevent similar account takeovers. 8) Monitoring blockchain transactions for suspicious redirects or anomalies in cryptocurrency flows. 9) Implementing runtime integrity checks or Content Security Policies (CSP) to detect or block unauthorized script modifications in browser environments. These targeted actions go beyond generic patching by addressing supply chain hygiene, developer security, and runtime protections.
Affected Countries
Germany, United Kingdom, France, Netherlands, Switzerland, Sweden, Estonia
CVE-2025-59141: CWE-506: Embedded Malicious Code in Qix- node-simple-swizzle
Description
simple-swizzle swizzles function arguments. On 8 September 2025, the npm publishing account for simple-swizzle was taken over after a phishing attack. Version 0.2.3 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct <script> inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt. The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. npm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper. On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. Users should update to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch. Those operating private registries or registry mirrors should purge the offending versions from any caches. This issue is resolved in 0.2.4.
AI-Powered Analysis
Technical Analysis
CVE-2025-59141 is a high-severity supply chain vulnerability affecting the npm package 'node-simple-swizzle' maintained by the Qix- project. The package is designed to swizzle function arguments, a utility commonly used in JavaScript development. On September 8, 2025, the npm publishing account for simple-swizzle was compromised via a phishing attack, allowing an attacker to publish version 0.2.3 containing malicious code. This malicious payload was embedded to specifically target cryptocurrency transactions within browser environments by attempting to redirect funds to attacker-controlled addresses. The malware activates only in browser contexts where the package is bundled or included directly in client-side code, such as through bundlers like Babel, Rollup, Vite, or frameworks like Next.js. Server-side, local, or command-line uses of the package are unaffected. The malicious code focuses on wallets such as MetaMask, intercepting transaction data to divert cryptocurrency payments. The compromised version was quickly removed from the npm registry on the same day, and a clean patch version 0.2.4 was released on September 13, 2025, to remediate the issue and bust caches. However, users who have cached or bundled the compromised version in browser applications remain at risk until they update, clear caches, delete node_modules directories, and rebuild their bundles. Private registries and mirrors must also purge the malicious version to prevent further exposure. The CVSS 4.0 score of 8.8 reflects the network attack vector, no required privileges or user interaction, and a high impact on integrity due to the redirection of cryptocurrency transactions. No known exploits in the wild have been reported yet, but the nature of the attack poses significant risk to users relying on this package in browser-based crypto applications.
Potential Impact
For European organizations, the impact of this vulnerability is particularly critical in sectors dealing with cryptocurrency transactions, fintech, and blockchain-based services that use JavaScript front-end code incorporating node-simple-swizzle. The malicious code can lead to direct financial losses by redirecting cryptocurrency payments, undermining trust in affected applications and causing reputational damage. Organizations relying on browser-based wallets like MetaMask integrated into their web applications are at risk of silent theft of funds. Additionally, the supply chain compromise highlights risks in software dependency management, potentially affecting development pipelines and deployment processes. Given the widespread use of npm packages in European software development, any organization that bundles this package into browser-facing applications could inadvertently expose end users to theft. The incident also stresses the importance of securing developer accounts and supply chain integrity. While server-side applications are not affected, the risk to client-side environments means that web applications targeting European users who engage in cryptocurrency transactions are vulnerable. This could impact financial institutions, crypto exchanges, and startups in the blockchain space across Europe.
Mitigation Recommendations
European organizations should immediately verify if node-simple-swizzle version 0.2.3 is present in any browser-targeted bundles. Steps include: 1) Upgrading to version 0.2.4 or later to ensure the malicious code is removed. 2) Completely deleting the node_modules directory to remove cached compromised packages. 3) Cleaning all package manager caches (npm, yarn, pnpm) to prevent reinstallation of the malicious version. 4) Rebuilding all browser bundles from scratch to eliminate embedded malware. 5) For organizations using private npm registries or mirrors, purge all cached copies of version 0.2.3 to prevent internal propagation. 6) Conducting audits of front-end codebases and dependency trees to identify any indirect dependencies on node-simple-swizzle. 7) Enhancing developer account security by enforcing multi-factor authentication and phishing awareness training to prevent similar account takeovers. 8) Monitoring blockchain transactions for suspicious redirects or anomalies in cryptocurrency flows. 9) Implementing runtime integrity checks or Content Security Policies (CSP) to detect or block unauthorized script modifications in browser environments. These targeted actions go beyond generic patching by addressing supply chain hygiene, developer security, and runtime protections.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-09-09T15:23:16.326Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68c866d82e2c3e5d6abeedae
Added to database: 9/15/2025, 7:19:52 PM
Last enriched: 9/15/2025, 7:21:13 PM
Last updated: 9/18/2025, 12:24:03 AM
Views: 18
Related Threats
CVE-2025-10631: Cross Site Scripting in itsourcecode Online Petshop Management System
MediumCVE-2025-10629: Command Injection in D-Link DIR-852
MediumCVE-2025-10628: Command Injection in D-Link DIR-852
MediumCVE-2025-38380
LowCVE-2025-35430: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in CISA Thorium
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.