CVE-2025-59162: CWE-506: Embedded Malicious Code in Qix- color-convert
color-convert provides plain color conversion functions in JavaScript. On 8 September 2025, the npm publishing account for color-convert was taken over after a phishing attack. Version 3.1.1 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct <script> inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt. The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. npm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper. On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. Users should update to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch. Those operating private registries or registry mirrors should purge the offending versions from any caches. This issue is resolved in 3.1.2.
AI Analysis
Technical Summary
CVE-2025-59162 is a high-severity supply chain vulnerability affecting the JavaScript package 'color-convert', maintained by the Qix- project. The package provides plain color conversion functions commonly used in JavaScript applications. On September 8, 2025, attackers successfully compromised the npm publishing account of color-convert via a phishing attack. Subsequently, they published version 3.1.1, which was functionally identical to the previous patch version but contained embedded malicious code. This malware payload was designed to operate exclusively within browser environments, targeting cryptocurrency transactions by attempting to redirect them to attacker-controlled wallet addresses. Importantly, non-browser environments such as local development, server-side applications, or command-line tools are not affected. The malicious code activates when the package is included directly in browser contexts, either through direct <script> tags or via bundling tools like Babel, Rollup, Vite, or Next.js. The npm registry removed the compromised package version on the same day to prevent further downloads. On September 13, the legitimate package owner released version 3.1.2 to remediate the issue and assist users in cache busting, especially those using private registries or mirrors. Users are strongly advised to update to the latest version, delete their node_modules directories, clear package manager caches, and rebuild browser bundles from scratch to eliminate any lingering malicious code. Private registries and mirrors should also purge cached copies of the compromised version. The vulnerability is classified under CWE-506 (Embedded Malicious Code) and has a CVSS 4.0 score of 8.8, reflecting its high severity due to network attack vector, no required privileges or user interaction, and significant impact on the integrity of cryptocurrency transactions within browser environments.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to web applications and front-end projects that incorporate the color-convert package in browser-executed code. Organizations involved in cryptocurrency transactions, fintech, or blockchain services are particularly vulnerable, as the malware specifically targets crypto wallets like MetaMask to redirect funds to attacker-controlled addresses. The compromise could lead to direct financial losses, erosion of customer trust, and reputational damage. Since the malicious payload only activates in browser contexts, server-side applications are not directly impacted, but any web-facing client applications that bundle this package are at risk. The supply chain nature of the attack highlights the risk of indirect compromise through trusted dependencies, which is a critical concern for European companies adhering to strict cybersecurity regulations such as the NIS Directive and GDPR. Failure to remediate could also expose organizations to regulatory penalties if customer funds or data are compromised. Additionally, private registries and mirrors used by enterprises may inadvertently propagate the malicious version if not properly purged, extending the threat surface.
Mitigation Recommendations
1. Immediate upgrade to color-convert version 3.1.2 or later is essential to eliminate the malicious code. 2. Completely remove the node_modules directory and clear all package manager caches (npm, yarn, pnpm) to prevent residual compromised packages from persisting. 3. Rebuild all browser bundles from scratch to ensure no malicious code remains embedded in distributed assets. 4. Audit and purge any private npm registries or mirrors to remove cached copies of version 3.1.1. 5. Implement strict supply chain security practices, including multi-factor authentication on publishing accounts to prevent phishing-based account takeovers. 6. Monitor web application traffic for suspicious redirections or anomalies in cryptocurrency transaction flows. 7. Educate development teams about phishing risks and secure credential management to prevent similar compromises. 8. Employ software composition analysis (SCA) tools to detect usage of compromised package versions in codebases. 9. For organizations handling cryptocurrency transactions, consider additional transaction verification mechanisms to detect unauthorized redirections.
Affected Countries
Germany, France, United Kingdom, Netherlands, Switzerland, Sweden, Belgium, Luxembourg
CVE-2025-59162: CWE-506: Embedded Malicious Code in Qix- color-convert
Description
color-convert provides plain color conversion functions in JavaScript. On 8 September 2025, the npm publishing account for color-convert was taken over after a phishing attack. Version 3.1.1 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct <script> inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt. The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. npm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper. On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. Users should update to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch. Those operating private registries or registry mirrors should purge the offending versions from any caches. This issue is resolved in 3.1.2.
AI-Powered Analysis
Technical Analysis
CVE-2025-59162 is a high-severity supply chain vulnerability affecting the JavaScript package 'color-convert', maintained by the Qix- project. The package provides plain color conversion functions commonly used in JavaScript applications. On September 8, 2025, attackers successfully compromised the npm publishing account of color-convert via a phishing attack. Subsequently, they published version 3.1.1, which was functionally identical to the previous patch version but contained embedded malicious code. This malware payload was designed to operate exclusively within browser environments, targeting cryptocurrency transactions by attempting to redirect them to attacker-controlled wallet addresses. Importantly, non-browser environments such as local development, server-side applications, or command-line tools are not affected. The malicious code activates when the package is included directly in browser contexts, either through direct <script> tags or via bundling tools like Babel, Rollup, Vite, or Next.js. The npm registry removed the compromised package version on the same day to prevent further downloads. On September 13, the legitimate package owner released version 3.1.2 to remediate the issue and assist users in cache busting, especially those using private registries or mirrors. Users are strongly advised to update to the latest version, delete their node_modules directories, clear package manager caches, and rebuild browser bundles from scratch to eliminate any lingering malicious code. Private registries and mirrors should also purge cached copies of the compromised version. The vulnerability is classified under CWE-506 (Embedded Malicious Code) and has a CVSS 4.0 score of 8.8, reflecting its high severity due to network attack vector, no required privileges or user interaction, and significant impact on the integrity of cryptocurrency transactions within browser environments.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to web applications and front-end projects that incorporate the color-convert package in browser-executed code. Organizations involved in cryptocurrency transactions, fintech, or blockchain services are particularly vulnerable, as the malware specifically targets crypto wallets like MetaMask to redirect funds to attacker-controlled addresses. The compromise could lead to direct financial losses, erosion of customer trust, and reputational damage. Since the malicious payload only activates in browser contexts, server-side applications are not directly impacted, but any web-facing client applications that bundle this package are at risk. The supply chain nature of the attack highlights the risk of indirect compromise through trusted dependencies, which is a critical concern for European companies adhering to strict cybersecurity regulations such as the NIS Directive and GDPR. Failure to remediate could also expose organizations to regulatory penalties if customer funds or data are compromised. Additionally, private registries and mirrors used by enterprises may inadvertently propagate the malicious version if not properly purged, extending the threat surface.
Mitigation Recommendations
1. Immediate upgrade to color-convert version 3.1.2 or later is essential to eliminate the malicious code. 2. Completely remove the node_modules directory and clear all package manager caches (npm, yarn, pnpm) to prevent residual compromised packages from persisting. 3. Rebuild all browser bundles from scratch to ensure no malicious code remains embedded in distributed assets. 4. Audit and purge any private npm registries or mirrors to remove cached copies of version 3.1.1. 5. Implement strict supply chain security practices, including multi-factor authentication on publishing accounts to prevent phishing-based account takeovers. 6. Monitor web application traffic for suspicious redirections or anomalies in cryptocurrency transaction flows. 7. Educate development teams about phishing risks and secure credential management to prevent similar compromises. 8. Employ software composition analysis (SCA) tools to detect usage of compromised package versions in codebases. 9. For organizations handling cryptocurrency transactions, consider additional transaction verification mechanisms to detect unauthorized redirections.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-09-09T15:23:16.327Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68c866d82e2c3e5d6abeedca
Added to database: 9/15/2025, 7:19:52 PM
Last enriched: 9/15/2025, 7:20:20 PM
Last updated: 9/18/2025, 2:42:07 AM
Views: 23
Related Threats
CVE-2025-9083: CWE-502 Deserialization of Untrusted Data in Ninja Forms
HighCVE-2025-8942: CWE-284 Improper Access Control in WP Hotel Booking
MediumCVE-2025-10631: Cross Site Scripting in itsourcecode Online Petshop Management System
MediumCVE-2025-10629: Command Injection in D-Link DIR-852
MediumCVE-2025-10628: Command Injection in D-Link DIR-852
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.