CVE-2025-59145: CWE-506: Embedded Malicious Code in colorjs color-name
color-name is a JSON with CSS color names. On 8 September 2025, an npm publishing account for color-name was taken over after a phishing attack. Version 2.0.1 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct <script> inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt. The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. See references below for more information on the payload. npm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper. On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. Users should update to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch. Those operating private registries or registry mirrors should purge the offending versions from any caches. This issue is resolved in 2.0.2.
AI Analysis
Technical Summary
CVE-2025-59145 concerns a supply chain attack involving the npm package 'color-name', a JSON file containing CSS color names used in JavaScript projects. On September 8, 2025, attackers successfully compromised the npm publishing account of the 'color-name' package through a phishing attack. Subsequently, version 2.0.1 was published, which was functionally identical to the previous patch version but contained embedded malicious code. This malware payload specifically targets browser environments where the package is used, attempting to intercept and redirect cryptocurrency transactions to attacker-controlled addresses. The attack vector is limited to browser contexts, such as direct script inclusion or through bundling tools like Babel, Rollup, Vite, or Next.js. Non-browser environments, including local development, server-side applications, and command-line tools, are not affected. The malicious code focuses on wallets such as MetaMask, aiming to hijack cryptocurrency transactions. The compromised package was removed from the npm registry on the same day to prevent further downloads. On September 13, the package owner released version 2.0.2 to remediate the issue and assist users in cache busting. Remediation requires users to update to the latest version, delete their node_modules directory, clear package manager caches, and rebuild any browser bundles to ensure the malware is fully removed. Private registries and mirrors must also purge cached compromised versions. The CVSS 4.0 score is 8.8 (high severity), reflecting the ease of exploitation (no authentication or user interaction required) and the significant impact on confidentiality and integrity of cryptocurrency transactions in affected browser environments.
Potential Impact
For European organizations, the impact of this threat is significant primarily for those involved in web development or deploying web applications that include the 'color-name' package in browser contexts. The malware targets cryptocurrency transactions, which could lead to direct financial losses through theft of digital assets. Organizations handling cryptocurrency payments, wallets, or blockchain-based services are at heightened risk. The compromise undermines trust in the software supply chain and could result in reputational damage, regulatory scrutiny, and financial penalties under European data protection and cybersecurity laws if customer assets are affected. Although server-side and local environments are not impacted, any front-end web applications that bundle this package could serve as infection vectors to end users, potentially exposing customers or employees to theft. The attack also highlights the risk of phishing leading to supply chain compromises, emphasizing the need for robust account security and monitoring. Given the widespread use of npm packages in European software development, the threat could affect a broad range of sectors, including fintech, e-commerce, and any organization integrating cryptocurrency functionality in web apps.
Mitigation Recommendations
To mitigate this threat, European organizations should: 1) Immediately update the 'color-name' package to version 2.0.2 or later in all projects where it is used in browser contexts. 2) Completely remove the node_modules directory and clear all package manager caches (npm, yarn, pnpm) to eliminate cached compromised versions. 3) Rebuild all browser bundles from scratch to ensure no malicious code remains embedded. 4) Audit private npm registries and mirrors to purge any cached compromised versions of 'color-name' 2.0.1. 5) Implement strict supply chain security practices, including multi-factor authentication and phishing-resistant login methods for package publishing accounts. 6) Monitor web applications for unusual cryptocurrency transaction behaviors or redirects. 7) Educate developers and DevOps teams about the risks of supply chain attacks and phishing. 8) Employ software composition analysis (SCA) tools to detect and alert on usage of compromised or malicious packages. 9) Consider isolating or sandboxing browser environments that handle cryptocurrency transactions to limit impact of potential future supply chain compromises.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Estonia, Ireland
CVE-2025-59145: CWE-506: Embedded Malicious Code in colorjs color-name
Description
color-name is a JSON with CSS color names. On 8 September 2025, an npm publishing account for color-name was taken over after a phishing attack. Version 2.0.1 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct <script> inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt. The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. See references below for more information on the payload. npm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper. On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. Users should update to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch. Those operating private registries or registry mirrors should purge the offending versions from any caches. This issue is resolved in 2.0.2.
AI-Powered Analysis
Technical Analysis
CVE-2025-59145 concerns a supply chain attack involving the npm package 'color-name', a JSON file containing CSS color names used in JavaScript projects. On September 8, 2025, attackers successfully compromised the npm publishing account of the 'color-name' package through a phishing attack. Subsequently, version 2.0.1 was published, which was functionally identical to the previous patch version but contained embedded malicious code. This malware payload specifically targets browser environments where the package is used, attempting to intercept and redirect cryptocurrency transactions to attacker-controlled addresses. The attack vector is limited to browser contexts, such as direct script inclusion or through bundling tools like Babel, Rollup, Vite, or Next.js. Non-browser environments, including local development, server-side applications, and command-line tools, are not affected. The malicious code focuses on wallets such as MetaMask, aiming to hijack cryptocurrency transactions. The compromised package was removed from the npm registry on the same day to prevent further downloads. On September 13, the package owner released version 2.0.2 to remediate the issue and assist users in cache busting. Remediation requires users to update to the latest version, delete their node_modules directory, clear package manager caches, and rebuild any browser bundles to ensure the malware is fully removed. Private registries and mirrors must also purge cached compromised versions. The CVSS 4.0 score is 8.8 (high severity), reflecting the ease of exploitation (no authentication or user interaction required) and the significant impact on confidentiality and integrity of cryptocurrency transactions in affected browser environments.
Potential Impact
For European organizations, the impact of this threat is significant primarily for those involved in web development or deploying web applications that include the 'color-name' package in browser contexts. The malware targets cryptocurrency transactions, which could lead to direct financial losses through theft of digital assets. Organizations handling cryptocurrency payments, wallets, or blockchain-based services are at heightened risk. The compromise undermines trust in the software supply chain and could result in reputational damage, regulatory scrutiny, and financial penalties under European data protection and cybersecurity laws if customer assets are affected. Although server-side and local environments are not impacted, any front-end web applications that bundle this package could serve as infection vectors to end users, potentially exposing customers or employees to theft. The attack also highlights the risk of phishing leading to supply chain compromises, emphasizing the need for robust account security and monitoring. Given the widespread use of npm packages in European software development, the threat could affect a broad range of sectors, including fintech, e-commerce, and any organization integrating cryptocurrency functionality in web apps.
Mitigation Recommendations
To mitigate this threat, European organizations should: 1) Immediately update the 'color-name' package to version 2.0.2 or later in all projects where it is used in browser contexts. 2) Completely remove the node_modules directory and clear all package manager caches (npm, yarn, pnpm) to eliminate cached compromised versions. 3) Rebuild all browser bundles from scratch to ensure no malicious code remains embedded. 4) Audit private npm registries and mirrors to purge any cached compromised versions of 'color-name' 2.0.1. 5) Implement strict supply chain security practices, including multi-factor authentication and phishing-resistant login methods for package publishing accounts. 6) Monitor web applications for unusual cryptocurrency transaction behaviors or redirects. 7) Educate developers and DevOps teams about the risks of supply chain attacks and phishing. 8) Employ software composition analysis (SCA) tools to detect and alert on usage of compromised or malicious packages. 9) Consider isolating or sandboxing browser environments that handle cryptocurrency transactions to limit impact of potential future supply chain compromises.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-09-09T15:23:16.326Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68c878ea26cffcb34e4501df
Added to database: 9/15/2025, 8:36:58 PM
Last enriched: 9/15/2025, 8:37:22 PM
Last updated: 9/16/2025, 12:08:10 AM
Views: 4
Related Threats
CVE-2025-10429: SQL Injection in SourceCodester Pet Grooming Management Software
MediumCVE-2025-10440: OS Command Injection in D-Link DI-8100
MediumCVE-2025-10428: Unrestricted Upload in SourceCodester Pet Grooming Management Software
MediumCVE-2025-59328: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Fory
MediumCVE-2025-10436: SQL Injection in Campcodes Computer Sales and Inventory System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.