CVE-2025-59331: CWE-506: Embedded Malicious Code in Qix- node-is-arrayish
is-arrayish checks if an object can be used like an Array. On 8 September 2025, an npm publishing account for is-arrayish was taken over after a phishing attack. Version 0.3.3 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct <script> inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt. The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. See references below for more information on the payload. npm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper. On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. Users should update to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch. Those operating private registries or registry mirrors should purge the offending versions from any caches. This issue is resolved in 0.3.4.
AI Analysis
Technical Summary
CVE-2025-59331 is a high-severity supply chain vulnerability affecting the npm package 'node-is-arrayish' maintained by the Qix- project. The vulnerability arose after the npm publishing account for 'is-arrayish' was compromised via a phishing attack on September 8, 2025. The attacker published version 0.3.3 of the package, which was functionally identical to the previous patch version but contained embedded malicious code. This malicious payload specifically targets browser environments where the package is used, attempting to intercept and redirect cryptocurrency transactions to attacker-controlled addresses. The attack vector exploits the package's usage in browser contexts, such as direct script inclusion or through bundling tools like Babel, Rollup, Vite, or Next.js. Local, server-side, or command-line environments are not affected by this payload. The malicious code focuses on cryptocurrency wallets, including popular ones like MetaMask, aiming to hijack transaction flows. The npm registry removed the compromised package version on the same day to prevent further downloads. Subsequently, on September 13, the package owner released version 0.3.4 to remediate the issue and assist users in cache-busting compromised versions. Users are strongly advised to update to 0.3.4, fully remove their node_modules directories, clear package manager caches, and rebuild all browser bundles from scratch to eliminate the malware. Private registries and mirrors should also purge cached compromised versions. The CVSS 4.0 score is 8.8 (high), reflecting the network attack vector, no required privileges or user interaction, and significant impact on integrity and confidentiality within affected browser environments. No known exploits in the wild have been reported yet, but the potential for targeted cryptocurrency theft is significant.
Potential Impact
For European organizations, this vulnerability poses a substantial risk primarily to web applications and front-end projects that incorporate 'node-is-arrayish' in browser bundles. Organizations involved in fintech, cryptocurrency services, or any sector where browser-based cryptocurrency wallets are used are at heightened risk of financial theft through transaction redirection. The integrity and confidentiality of cryptocurrency transactions can be compromised, leading to direct financial losses and reputational damage. Since the malicious payload does not affect server-side or local environments, backend systems remain secure from this specific threat. However, the widespread use of JavaScript bundlers in modern web development means many European companies could unknowingly distribute compromised code to end users, especially if they rely on private registries or have not updated dependencies promptly. The attack also highlights the broader risk of supply chain compromises in open-source ecosystems, which can undermine trust and disrupt operations. Regulatory compliance concerns may arise under GDPR and other data protection laws if customer funds or data are impacted, potentially leading to legal and financial penalties.
Mitigation Recommendations
European organizations should immediately audit their projects for usage of 'node-is-arrayish' version 0.3.3 or earlier vulnerable versions. They must upgrade to version 0.3.4 or later without delay. Complete removal of the node_modules directory and clearing of all package manager caches (npm, yarn, pnpm, etc.) is essential to prevent residual compromised code. All browser bundles that include this package must be rebuilt from scratch to ensure the malicious payload is eliminated. Organizations operating private npm registries or mirrors should purge any cached copies of the compromised version 0.3.3 to prevent inadvertent reuse. Implementing strict supply chain security practices, such as verifying package integrity via checksums or signatures, and enabling two-factor authentication on publishing accounts can reduce the risk of similar account takeovers. Monitoring for unusual cryptocurrency transaction patterns in browser environments and educating developers about phishing risks are also recommended. Finally, integrating automated dependency scanning tools that flag compromised or malicious packages can help detect and prevent future incidents.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Switzerland, Belgium, Italy, Spain
CVE-2025-59331: CWE-506: Embedded Malicious Code in Qix- node-is-arrayish
Description
is-arrayish checks if an object can be used like an Array. On 8 September 2025, an npm publishing account for is-arrayish was taken over after a phishing attack. Version 0.3.3 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct <script> inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt. The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. See references below for more information on the payload. npm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper. On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. Users should update to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch. Those operating private registries or registry mirrors should purge the offending versions from any caches. This issue is resolved in 0.3.4.
AI-Powered Analysis
Technical Analysis
CVE-2025-59331 is a high-severity supply chain vulnerability affecting the npm package 'node-is-arrayish' maintained by the Qix- project. The vulnerability arose after the npm publishing account for 'is-arrayish' was compromised via a phishing attack on September 8, 2025. The attacker published version 0.3.3 of the package, which was functionally identical to the previous patch version but contained embedded malicious code. This malicious payload specifically targets browser environments where the package is used, attempting to intercept and redirect cryptocurrency transactions to attacker-controlled addresses. The attack vector exploits the package's usage in browser contexts, such as direct script inclusion or through bundling tools like Babel, Rollup, Vite, or Next.js. Local, server-side, or command-line environments are not affected by this payload. The malicious code focuses on cryptocurrency wallets, including popular ones like MetaMask, aiming to hijack transaction flows. The npm registry removed the compromised package version on the same day to prevent further downloads. Subsequently, on September 13, the package owner released version 0.3.4 to remediate the issue and assist users in cache-busting compromised versions. Users are strongly advised to update to 0.3.4, fully remove their node_modules directories, clear package manager caches, and rebuild all browser bundles from scratch to eliminate the malware. Private registries and mirrors should also purge cached compromised versions. The CVSS 4.0 score is 8.8 (high), reflecting the network attack vector, no required privileges or user interaction, and significant impact on integrity and confidentiality within affected browser environments. No known exploits in the wild have been reported yet, but the potential for targeted cryptocurrency theft is significant.
Potential Impact
For European organizations, this vulnerability poses a substantial risk primarily to web applications and front-end projects that incorporate 'node-is-arrayish' in browser bundles. Organizations involved in fintech, cryptocurrency services, or any sector where browser-based cryptocurrency wallets are used are at heightened risk of financial theft through transaction redirection. The integrity and confidentiality of cryptocurrency transactions can be compromised, leading to direct financial losses and reputational damage. Since the malicious payload does not affect server-side or local environments, backend systems remain secure from this specific threat. However, the widespread use of JavaScript bundlers in modern web development means many European companies could unknowingly distribute compromised code to end users, especially if they rely on private registries or have not updated dependencies promptly. The attack also highlights the broader risk of supply chain compromises in open-source ecosystems, which can undermine trust and disrupt operations. Regulatory compliance concerns may arise under GDPR and other data protection laws if customer funds or data are impacted, potentially leading to legal and financial penalties.
Mitigation Recommendations
European organizations should immediately audit their projects for usage of 'node-is-arrayish' version 0.3.3 or earlier vulnerable versions. They must upgrade to version 0.3.4 or later without delay. Complete removal of the node_modules directory and clearing of all package manager caches (npm, yarn, pnpm, etc.) is essential to prevent residual compromised code. All browser bundles that include this package must be rebuilt from scratch to ensure the malicious payload is eliminated. Organizations operating private npm registries or mirrors should purge any cached copies of the compromised version 0.3.3 to prevent inadvertent reuse. Implementing strict supply chain security practices, such as verifying package integrity via checksums or signatures, and enabling two-factor authentication on publishing accounts can reduce the risk of similar account takeovers. Monitoring for unusual cryptocurrency transaction patterns in browser environments and educating developers about phishing risks are also recommended. Finally, integrating automated dependency scanning tools that flag compromised or malicious packages can help detect and prevent future incidents.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-09-12T12:36:24.634Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68c86d1cd09586c390afd456
Added to database: 9/15/2025, 7:46:36 PM
Last enriched: 9/15/2025, 7:47:02 PM
Last updated: 9/19/2025, 12:08:58 AM
Views: 13
Related Threats
CVE-2025-10146: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in codename065 Download Manager
MediumCVE-2025-10709: Path Traversal in Four-Faith Water Conservancy Informatization Platform
MediumCVE-2025-9969: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Vizly Web Design Real Estate Packages
HighCVE-2025-10468: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Beyaz Computer CityPlus
HighCVE-2025-10719: CWE-639 Authorization Bypass Through User-Controlled Key in WisdomGarden Tronclass
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.