CVE-2025-59143: CWE-506: Embedded Malicious Code in Qix- color
color is a Javascript color conversion and manipulation library. On 8 September 2025, the npm publishing account for color was taken over after a phishing attack. Version 5.0.1 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct <script> inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt. The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. npm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper. On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. Users should update to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch. Those operating private registries or registry mirrors should purge the offending versions from any caches. This issues has been resolved in 5.0.2.
AI Analysis
Technical Summary
CVE-2025-59143 is a high-severity supply chain vulnerability affecting the 'color' JavaScript library maintained by the Qix- project. The incident occurred on September 8, 2025, when the npm publishing account for the 'color' package was compromised via a phishing attack. The attacker published version 5.0.1, which was functionally identical to the previous patch but contained embedded malicious code designed to intercept and redirect cryptocurrency transactions within browser environments. This malicious payload specifically targets browser-based cryptocurrency wallets such as MetaMask, attempting to divert transactions to attacker-controlled addresses. Importantly, environments outside the browser context—such as local development, server-side applications, and command-line tools—are not affected by this malware. The malicious version was quickly removed from the npm registry on the same day, and a clean patched version 5.0.2 was released on September 13, 2025, to assist users in cache busting and remediation. Users who incorporated the compromised version into browser bundles via tools like Babel, Rollup, Vite, or Next.js are at risk if those bundles have not been rebuilt since the compromise. Additionally, private npm registries or mirrors may still serve the malicious version if caches have not been purged. The vulnerability is classified under CWE-506 (Embedded Malicious Code) and carries a CVSS 4.0 score of 8.8, reflecting its high impact and ease of exploitation without requiring authentication or user interaction. The attack leverages the trust in the npm supply chain and the widespread use of the 'color' library in front-end JavaScript projects, emphasizing the risks of compromised dependencies in modern web development.
Potential Impact
For European organizations, the impact of this threat is significant, particularly for those involved in fintech, cryptocurrency services, blockchain development, and any web applications integrating cryptocurrency wallet functionalities. The malicious code's ability to redirect cryptocurrency transactions compromises the confidentiality and integrity of financial data, potentially leading to direct financial losses and erosion of user trust. Since the attack targets browser environments, organizations deploying web applications that bundle the 'color' library without verifying package integrity could inadvertently expose their users to theft. This is especially critical for companies offering wallet integrations or crypto payment gateways. Additionally, the supply chain nature of the compromise means that even organizations without direct cryptocurrency dealings but using affected front-end libraries could serve malicious code to end-users, damaging reputations and possibly violating data protection regulations such as GDPR if user data is indirectly impacted. The swift removal of the malicious package and patch release mitigates ongoing risk, but organizations with slow update cycles or private registries may remain vulnerable. The incident underscores the need for rigorous supply chain security practices in European software development and deployment pipelines.
Mitigation Recommendations
European organizations should take immediate and specific actions beyond generic patching advice: 1) Audit all projects and dependencies to identify any usage of 'color' version 5.0.1, especially in browser-targeted bundles. 2) Completely remove the node_modules directory and clear all package manager caches (npm, yarn, pnpm) to eliminate cached malicious packages. 3) Rebuild all browser bundles from scratch using the patched version 5.0.2 or later to ensure no residual malicious code remains. 4) For organizations operating private npm registries or mirrors, purge all cached copies of version 5.0.1 to prevent inadvertent distribution. 5) Implement or enhance supply chain security measures such as package integrity verification (e.g., using npm's package integrity hashes or third-party tools), dependency monitoring, and automated alerts for suspicious package updates. 6) Educate development teams on phishing risks to prevent future account takeovers. 7) Monitor blockchain transactions associated with organizational wallets for anomalies that might indicate compromise. 8) Consider adopting multi-factor authentication and hardware security modules for managing cryptographic keys to reduce risk from client-side malware. These targeted steps will help mitigate the risk posed by this embedded malicious code incident.
Affected Countries
Germany, United Kingdom, France, Netherlands, Switzerland, Sweden, Estonia
CVE-2025-59143: CWE-506: Embedded Malicious Code in Qix- color
Description
color is a Javascript color conversion and manipulation library. On 8 September 2025, the npm publishing account for color was taken over after a phishing attack. Version 5.0.1 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct <script> inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt. The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. npm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper. On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. Users should update to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch. Those operating private registries or registry mirrors should purge the offending versions from any caches. This issues has been resolved in 5.0.2.
AI-Powered Analysis
Technical Analysis
CVE-2025-59143 is a high-severity supply chain vulnerability affecting the 'color' JavaScript library maintained by the Qix- project. The incident occurred on September 8, 2025, when the npm publishing account for the 'color' package was compromised via a phishing attack. The attacker published version 5.0.1, which was functionally identical to the previous patch but contained embedded malicious code designed to intercept and redirect cryptocurrency transactions within browser environments. This malicious payload specifically targets browser-based cryptocurrency wallets such as MetaMask, attempting to divert transactions to attacker-controlled addresses. Importantly, environments outside the browser context—such as local development, server-side applications, and command-line tools—are not affected by this malware. The malicious version was quickly removed from the npm registry on the same day, and a clean patched version 5.0.2 was released on September 13, 2025, to assist users in cache busting and remediation. Users who incorporated the compromised version into browser bundles via tools like Babel, Rollup, Vite, or Next.js are at risk if those bundles have not been rebuilt since the compromise. Additionally, private npm registries or mirrors may still serve the malicious version if caches have not been purged. The vulnerability is classified under CWE-506 (Embedded Malicious Code) and carries a CVSS 4.0 score of 8.8, reflecting its high impact and ease of exploitation without requiring authentication or user interaction. The attack leverages the trust in the npm supply chain and the widespread use of the 'color' library in front-end JavaScript projects, emphasizing the risks of compromised dependencies in modern web development.
Potential Impact
For European organizations, the impact of this threat is significant, particularly for those involved in fintech, cryptocurrency services, blockchain development, and any web applications integrating cryptocurrency wallet functionalities. The malicious code's ability to redirect cryptocurrency transactions compromises the confidentiality and integrity of financial data, potentially leading to direct financial losses and erosion of user trust. Since the attack targets browser environments, organizations deploying web applications that bundle the 'color' library without verifying package integrity could inadvertently expose their users to theft. This is especially critical for companies offering wallet integrations or crypto payment gateways. Additionally, the supply chain nature of the compromise means that even organizations without direct cryptocurrency dealings but using affected front-end libraries could serve malicious code to end-users, damaging reputations and possibly violating data protection regulations such as GDPR if user data is indirectly impacted. The swift removal of the malicious package and patch release mitigates ongoing risk, but organizations with slow update cycles or private registries may remain vulnerable. The incident underscores the need for rigorous supply chain security practices in European software development and deployment pipelines.
Mitigation Recommendations
European organizations should take immediate and specific actions beyond generic patching advice: 1) Audit all projects and dependencies to identify any usage of 'color' version 5.0.1, especially in browser-targeted bundles. 2) Completely remove the node_modules directory and clear all package manager caches (npm, yarn, pnpm) to eliminate cached malicious packages. 3) Rebuild all browser bundles from scratch using the patched version 5.0.2 or later to ensure no residual malicious code remains. 4) For organizations operating private npm registries or mirrors, purge all cached copies of version 5.0.1 to prevent inadvertent distribution. 5) Implement or enhance supply chain security measures such as package integrity verification (e.g., using npm's package integrity hashes or third-party tools), dependency monitoring, and automated alerts for suspicious package updates. 6) Educate development teams on phishing risks to prevent future account takeovers. 7) Monitor blockchain transactions associated with organizational wallets for anomalies that might indicate compromise. 8) Consider adopting multi-factor authentication and hardware security modules for managing cryptographic keys to reduce risk from client-side malware. These targeted steps will help mitigate the risk posed by this embedded malicious code incident.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-09-09T15:23:16.326Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68c866d82e2c3e5d6abeedbc
Added to database: 9/15/2025, 7:19:52 PM
Last enriched: 9/15/2025, 7:20:45 PM
Last updated: 9/17/2025, 12:19:47 PM
Views: 13
Related Threats
CVE-2025-23316: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in NVIDIA Triton Inference Server
CriticalCVE-2025-10619: OS Command Injection in sequa-ai sequa-mcp
MediumCVE-2025-10618: SQL Injection in itsourcecode Online Clinic Management System
MediumCVE-2025-8006: CWE-125: Out-of-bounds Read in Ashlar-Vellum Cobalt
HighCVE-2025-8005: CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') in Ashlar-Vellum Cobalt
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.