CWE-506
Allowed-with-ReviewEmbedded Malicious Code
Abstraction: Class · Status: Incomplete
The product contains code that appears to be malicious in nature.
523 vulnerabilities reference this CWE, most recent first.
CVE-2026-6443 (GCVE-0-2026-6443)
Vulnerability from cvelistv5 – Published: 2026-04-17 06:44 – Updated: 2026-04-21 19:53- CWE-506 - Embedded Malicious Code
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6443",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-17T18:49:32.019393Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T18:49:42.999Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Accordion and Accordion Slider",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "1.4.6"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Portfolio and Projects",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "1.5.6"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Featured Post Creative",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "1.5.7"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Post grid and filter ultimate",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "1.7.4"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Featured Content and Slider",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "1.7.6"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Post Ticker Ultimate",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "1.7.6"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Trending/Popular Post Slider and Widget",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "1.8.6"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Meta Slider and Carousel with Lightbox",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "2.0.8"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Album and Image Gallery Plus Lightbox",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "2.1.8"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Timeline and History slider",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "2.4.5"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Blog and Widgets",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "2.6.6"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Countdown Timer Ultimate",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "2.6.9"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Blog Designer \u2013 Post and Widget",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "2.7.7"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Team Slider and Team Grid Showcase plus Team Carousel",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "2.8.6"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Video gallery and Player",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "2.8.7"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Popup Maker and Popup Anything \u2013 Popup for opt-ins and Lead Generation Conversions",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "2.9.1"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "3.5.6"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Responsive Recent Post Slider/Carousel",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "3.7.1"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Slick Slider and Image Carousel",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "3.7.8.1"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Logo Showcase Responsive Slider and Carousel",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "3.8.7"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP responsive FAQ with category plugin",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "3.9.5"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP News and Scrolling Widgets",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "5.0.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Eu Joe Chegne"
},
{
"lang": "en",
"type": "finder",
"value": "Damien"
}
],
"descriptions": [
{
"lang": "en",
"value": "All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin\u0027s they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "CWE-506 Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:53:07.705Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2597724a-9a39-4e46-b153-f42366f833ba?source=cve"
},
{
"url": "https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-16T18:38:10.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-09T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Essentialplugin Plugins (Various Versions) - Injected Backdoor"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6443",
"datePublished": "2026-04-17T06:44:49.128Z",
"dateReserved": "2026-04-16T18:22:16.366Z",
"dateUpdated": "2026-04-21T19:53:07.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59374 (GCVE-0-2025-59374)
Vulnerability from cvelistv5 – Published: 2025-12-17 04:27 – Updated: 2026-02-26 16:07- CWE-506 - Embedded Malicious Code
| URL | Tags |
|---|---|
| https://www.asus.com/news/hqfgvuyz6uyayje1/ | vendor-advisory |
| https://www.cisa.gov/known-exploited-vulnerabilit… | government-resource |
| Vendor | Product | Version | |
|---|---|---|---|
| ASUS | live update |
Affected:
before 3.6.6
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59374",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T04:55:25.451260Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-12-17",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59374"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T16:07:31.559Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59374"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "live update",
"vendor": "ASUS",
"versions": [
{
"status": "affected",
"version": "before 3.6.6"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:asus:live_update:before_3.6.6:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\"UNSUPPORTED WHEN ASSIGNED\"\u0026nbsp;Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain compromise.\u0026nbsp;The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. Only devices that met these conditions and installed the compromised versions were affected.\u0026nbsp;The Live Update client has already reached End-of-Support (EOS) in October 2021, and no currently supported devices or products are affected by this issue."
}
],
"value": "\"UNSUPPORTED WHEN ASSIGNED\"\u00a0Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain compromise.\u00a0The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. Only devices that met these conditions and installed the compromised versions were affected.\u00a0The Live Update client has already reached End-of-Support (EOS) in October 2021, and no currently supported devices or products are affected by this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "CWE-506: Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T04:27:06.885Z",
"orgId": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1",
"shortName": "ASUS"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.asus.com/news/hqfgvuyz6uyayje1/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1",
"assignerShortName": "ASUS",
"cveId": "CVE-2025-59374",
"datePublished": "2025-12-17T04:27:06.885Z",
"dateReserved": "2025-09-15T01:36:47.359Z",
"dateUpdated": "2026-02-26T16:07:31.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59331 (GCVE-0-2025-59331)
Vulnerability from cvelistv5 – Published: 2025-09-15 19:21 – Updated: 2025-09-15 19:39- CWE-506 - Embedded Malicious Code
| URL | Tags |
|---|---|
| https://github.com/Qix-/node-is-arrayish/security… | x_refsource_CONFIRM |
| https://github.com/debug-js/debug/issues/1005 | x_refsource_MISC |
| https://socket.dev/blog/npm-author-qix-compromise… | x_refsource_MISC |
| https://www.aikido.dev/blog/npm-debug-and-chalk-p… | x_refsource_MISC |
| https://www.ox.security/blog/npm-packages-compromised | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Qix- | node-is-arrayish |
Affected:
= 0.3.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59331",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-15T19:39:45.623133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T19:39:50.341Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "node-is-arrayish",
"vendor": "Qix-",
"versions": [
{
"status": "affected",
"version": "= 0.3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "is-arrayish checks if an object can be used like an Array. On 8 September 2025, an npm publishing account for is-arrayish was taken over after a phishing attack. Version 0.3.3 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker\u0027s own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct \u003cscript\u003e inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt. The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. See references below for more information on the payload. npm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper. On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. Users should update to the latest patch version, completely remove their node_modules directory, clean their package manager\u0027s global cache, and rebuild any browser bundles from scratch. Those operating private registries or registry mirrors should purge the offending versions from any caches. This issue is resolved in 0.3.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "CWE-506: Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T19:21:29.858Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Qix-/node-is-arrayish/security/advisories/GHSA-frh7-2f84-v9mw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Qix-/node-is-arrayish/security/advisories/GHSA-frh7-2f84-v9mw"
},
{
"name": "https://github.com/debug-js/debug/issues/1005",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/debug-js/debug/issues/1005"
},
{
"name": "https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack",
"tags": [
"x_refsource_MISC"
],
"url": "https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack"
},
{
"name": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised"
},
{
"name": "https://www.ox.security/blog/npm-packages-compromised",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.ox.security/blog/npm-packages-compromised"
}
],
"source": {
"advisory": "GHSA-frh7-2f84-v9mw",
"discovery": "UNKNOWN"
},
"title": "is-arrayish@0.3.3 contains malware after npm account takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59331",
"datePublished": "2025-09-15T19:21:29.858Z",
"dateReserved": "2025-09-12T12:36:24.634Z",
"dateUpdated": "2025-09-15T19:39:50.341Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59330 (GCVE-0-2025-59330)
Vulnerability from cvelistv5 – Published: 2025-09-15 19:19 – Updated: 2025-09-15 19:42- CWE-506 - Embedded Malicious Code
| URL | Tags |
|---|---|
| https://github.com/Qix-/node-error-ex/security/ad… | x_refsource_CONFIRM |
| https://github.com/debug-js/debug/issues/1005 | x_refsource_MISC |
| https://socket.dev/blog/npm-author-qix-compromise… | x_refsource_MISC |
| https://www.aikido.dev/blog/npm-debug-and-chalk-p… | x_refsource_MISC |
| https://www.ox.security/blog/npm-packages-compromised | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Qix- | node-error-ex |
Affected:
= 1.3.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59330",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-15T19:42:18.034982Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T19:42:22.624Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "node-error-ex",
"vendor": "Qix-",
"versions": [
{
"status": "affected",
"version": "= 1.3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "error-ex allows error subclassing and stack customization. On 8 September 2025, an npm publishing account for error-ex was taken over after a phishing attack. Version 1.3.3 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker\u0027s own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct \u003cscript\u003e inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt. The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. npm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper. On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. Users should update to the latest patch version, completely remove their node_modules directory, clean their package manager\u0027s global cache, and rebuild any browser bundles from scratch. Those operating private registries or registry mirrors should purge the offending versions from any caches. This issue is resolved in 1.3.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "CWE-506: Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T19:19:22.213Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Qix-/node-error-ex/security/advisories/GHSA-6jp5-hh4c-8c5h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Qix-/node-error-ex/security/advisories/GHSA-6jp5-hh4c-8c5h"
},
{
"name": "https://github.com/debug-js/debug/issues/1005",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/debug-js/debug/issues/1005"
},
{
"name": "https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack",
"tags": [
"x_refsource_MISC"
],
"url": "https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack"
},
{
"name": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised"
},
{
"name": "https://www.ox.security/blog/npm-packages-compromised",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.ox.security/blog/npm-packages-compromised"
}
],
"source": {
"advisory": "GHSA-6jp5-hh4c-8c5h",
"discovery": "UNKNOWN"
},
"title": "error-ex@1.3.3 contains malware after npm account takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59330",
"datePublished": "2025-09-15T19:19:22.213Z",
"dateReserved": "2025-09-12T12:36:24.634Z",
"dateUpdated": "2025-09-15T19:42:22.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59162 (GCVE-0-2025-59162)
Vulnerability from cvelistv5 – Published: 2025-09-15 19:16 – Updated: 2025-09-15 19:43- CWE-506 - Embedded Malicious Code
| URL | Tags |
|---|---|
| https://github.com/Qix-/color-convert/security/ad… | x_refsource_CONFIRM |
| https://github.com/debug-js/debug/issues/1005 | x_refsource_MISC |
| https://socket.dev/blog/npm-author-qix-compromise… | x_refsource_MISC |
| https://www.aikido.dev/blog/npm-debug-and-chalk-p… | x_refsource_MISC |
| https://www.ox.security/blog/npm-packages-compromised | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Qix- | color-convert |
Affected:
= 3.1.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59162",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-15T19:43:15.829675Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T19:43:24.241Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "color-convert",
"vendor": "Qix-",
"versions": [
{
"status": "affected",
"version": "= 3.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "color-convert provides plain color conversion functions in JavaScript. On 8 September 2025, the npm publishing account for color-convert was taken over after a phishing attack. Version 3.1.1 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker\u0027s own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct \u003cscript\u003e inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt. The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. npm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper. On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. Users should update to the latest patch version, completely remove their node_modules directory, clean their package manager\u0027s global cache, and rebuild any browser bundles from scratch. Those operating private registries or registry mirrors should purge the offending versions from any caches. This issue is resolved in 3.1.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "CWE-506: Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T19:16:23.382Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Qix-/color-convert/security/advisories/GHSA-pxx3-g568-hxr4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Qix-/color-convert/security/advisories/GHSA-pxx3-g568-hxr4"
},
{
"name": "https://github.com/debug-js/debug/issues/1005",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/debug-js/debug/issues/1005"
},
{
"name": "https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack",
"tags": [
"x_refsource_MISC"
],
"url": "https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack"
},
{
"name": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised"
},
{
"name": "https://www.ox.security/blog/npm-packages-compromised",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.ox.security/blog/npm-packages-compromised"
}
],
"source": {
"advisory": "GHSA-pxx3-g568-hxr4",
"discovery": "UNKNOWN"
},
"title": "color-convert@3.1.1 contains malware after npm account takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59162",
"datePublished": "2025-09-15T19:16:23.382Z",
"dateReserved": "2025-09-09T15:23:16.327Z",
"dateUpdated": "2025-09-15T19:43:24.241Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59145 (GCVE-0-2025-59145)
Vulnerability from cvelistv5 – Published: 2025-09-15 20:32 – Updated: 2025-09-15 20:39- CWE-506 - Embedded Malicious Code
| URL | Tags |
|---|---|
| https://github.com/colorjs/color-name/security/ad… | x_refsource_CONFIRM |
| https://github.com/debug-js/debug/issues/1005 | x_refsource_MISC |
| https://socket.dev/blog/npm-author-qix-compromise… | x_refsource_MISC |
| https://www.aikido.dev/blog/npm-debug-and-chalk-p… | x_refsource_MISC |
| https://www.ox.security/blog/npm-packages-compromised | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| colorjs | color-name |
Affected:
= 2.0.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59145",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-15T20:39:50.044627Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T20:39:58.389Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "color-name",
"vendor": "colorjs",
"versions": [
{
"status": "affected",
"version": "= 2.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "color-name is a JSON with CSS color names. On 8 September 2025, an npm publishing account for color-name was taken over after a phishing attack. Version 2.0.1 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker\u0027s own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct \u003cscript\u003e inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt. The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. See references below for more information on the payload. npm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper. On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. Users should update to the latest patch version, completely remove their node_modules directory, clean their package manager\u0027s global cache, and rebuild any browser bundles from scratch. Those operating private registries or registry mirrors should purge the offending versions from any caches. This issue is resolved in 2.0.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "CWE-506: Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T20:32:43.877Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/colorjs/color-name/security/advisories/GHSA-5fvm-p68v-5wmh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/colorjs/color-name/security/advisories/GHSA-5fvm-p68v-5wmh"
},
{
"name": "https://github.com/debug-js/debug/issues/1005",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/debug-js/debug/issues/1005"
},
{
"name": "https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack",
"tags": [
"x_refsource_MISC"
],
"url": "https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack"
},
{
"name": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised"
},
{
"name": "https://www.ox.security/blog/npm-packages-compromised",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.ox.security/blog/npm-packages-compromised"
}
],
"source": {
"advisory": "GHSA-5fvm-p68v-5wmh",
"discovery": "UNKNOWN"
},
"title": "color-name@2.0.1 contains malware after npm account takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59145",
"datePublished": "2025-09-15T20:32:43.877Z",
"dateReserved": "2025-09-09T15:23:16.326Z",
"dateUpdated": "2025-09-15T20:39:58.389Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59144 (GCVE-0-2025-59144)
Vulnerability from cvelistv5 – Published: 2025-09-15 19:10 – Updated: 2025-09-15 19:46- CWE-506 - Embedded Malicious Code
| URL | Tags |
|---|---|
| https://github.com/debug-js/debug/security/adviso… | x_refsource_CONFIRM |
| https://github.com/debug-js/debug/issues/1005 | x_refsource_MISC |
| https://socket.dev/blog/npm-author-qix-compromise… | x_refsource_MISC |
| https://www.aikido.dev/blog/npm-debug-and-chalk-p… | x_refsource_MISC |
| https://www.ox.security/blog/npm-packages-compromised | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59144",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-15T19:46:32.027005Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T19:46:39.190Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "debug",
"vendor": "debug-js",
"versions": [
{
"status": "affected",
"version": "= 4.4.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "debug is a JavaScript debugging utility. On 8 September 2025, the npm publishing account for debug was taken over after a phishing attack. Version 4.4.2 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker\u0027s own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct \u003cscript\u003e inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt. The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. npm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper. On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. Users should upgrade to the latest patch version, completely remove their node_modules directory, clean their package manager\u0027s global cache, and rebuild any browser bundles from scratch. Those operating private registries or registry mirrors should purge the offending versions from any caches. This issue has been resolved in 4.4.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "CWE-506: Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T19:10:04.053Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/debug-js/debug/security/advisories/GHSA-4x49-vf9v-38px",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/debug-js/debug/security/advisories/GHSA-4x49-vf9v-38px"
},
{
"name": "https://github.com/debug-js/debug/issues/1005",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/debug-js/debug/issues/1005"
},
{
"name": "https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack",
"tags": [
"x_refsource_MISC"
],
"url": "https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack"
},
{
"name": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised"
},
{
"name": "https://www.ox.security/blog/npm-packages-compromised",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.ox.security/blog/npm-packages-compromised"
}
],
"source": {
"advisory": "GHSA-4x49-vf9v-38px",
"discovery": "UNKNOWN"
},
"title": "debug@4.4.2 contains malware after npm account takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59144",
"datePublished": "2025-09-15T19:10:04.053Z",
"dateReserved": "2025-09-09T15:23:16.326Z",
"dateUpdated": "2025-09-15T19:46:39.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59143 (GCVE-0-2025-59143)
Vulnerability from cvelistv5 – Published: 2025-09-15 19:10 – Updated: 2025-09-15 19:50- CWE-506 - Embedded Malicious Code
| URL | Tags |
|---|---|
| https://github.com/Qix-/color/security/advisories… | x_refsource_CONFIRM |
| https://github.com/debug-js/debug/issues/1005 | x_refsource_MISC |
| https://socket.dev/blog/npm-author-qix-compromise… | x_refsource_MISC |
| https://www.aikido.dev/blog/npm-debug-and-chalk-p… | x_refsource_MISC |
| https://www.ox.security/blog/npm-packages-compromised | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59143",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-15T19:50:43.373770Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T19:50:50.772Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "color",
"vendor": "Qix-",
"versions": [
{
"status": "affected",
"version": "= 5.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "color is a Javascript color conversion and manipulation library. On 8 September 2025, the npm publishing account for color was taken over after a phishing attack. Version 5.0.1 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker\u0027s own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct \u003cscript\u003e inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt. The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. npm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper. On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. Users should update to the latest patch version, completely remove their node_modules directory, clean their package manager\u0027s global cache, and rebuild any browser bundles from scratch. Those operating private registries or registry mirrors should purge the offending versions from any caches. This issues has been resolved in 5.0.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "CWE-506: Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T19:10:01.610Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Qix-/color/security/advisories/GHSA-qrmh-qg46-72pp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Qix-/color/security/advisories/GHSA-qrmh-qg46-72pp"
},
{
"name": "https://github.com/debug-js/debug/issues/1005",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/debug-js/debug/issues/1005"
},
{
"name": "https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack",
"tags": [
"x_refsource_MISC"
],
"url": "https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack"
},
{
"name": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised"
},
{
"name": "https://www.ox.security/blog/npm-packages-compromised",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.ox.security/blog/npm-packages-compromised"
}
],
"source": {
"advisory": "GHSA-qrmh-qg46-72pp",
"discovery": "UNKNOWN"
},
"title": "color@5.0.1 contains malware after npm account takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59143",
"datePublished": "2025-09-15T19:10:01.610Z",
"dateReserved": "2025-09-09T15:23:16.326Z",
"dateUpdated": "2025-09-15T19:50:50.772Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59142 (GCVE-0-2025-59142)
Vulnerability from cvelistv5 – Published: 2025-09-15 19:10 – Updated: 2025-09-15 19:45- CWE-506 - Embedded Malicious Code
| URL | Tags |
|---|---|
| https://github.com/Qix-/color-string/security/adv… | x_refsource_CONFIRM |
| https://github.com/debug-js/debug/issues/1005 | x_refsource_MISC |
| https://socket.dev/blog/npm-author-qix-compromise… | x_refsource_MISC |
| https://www.aikido.dev/blog/npm-debug-and-chalk-p… | x_refsource_MISC |
| https://www.ox.security/blog/npm-packages-compromised | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Qix- | color-string |
Affected:
= 2.1.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59142",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-15T19:45:33.340598Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T19:45:39.946Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "color-string",
"vendor": "Qix-",
"versions": [
{
"status": "affected",
"version": "= 2.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "color-string is a parser and generator for CSS color strings. On 8 September 2025, the npm publishing account for color-string was taken over after a phishing attack. Version 2.1.1 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker\u0027s own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct \u003cscript\u003e inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt. The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. npm removed the offending package from the registry over the course of the day on 8 September. On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. This issue has been resolved in 2.1.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "CWE-506: Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T19:10:07.595Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Qix-/color-string/security/advisories/GHSA-286p-vc9p-p5qv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Qix-/color-string/security/advisories/GHSA-286p-vc9p-p5qv"
},
{
"name": "https://github.com/debug-js/debug/issues/1005",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/debug-js/debug/issues/1005"
},
{
"name": "https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack",
"tags": [
"x_refsource_MISC"
],
"url": "https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack"
},
{
"name": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised"
},
{
"name": "https://www.ox.security/blog/npm-packages-compromised",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.ox.security/blog/npm-packages-compromised"
}
],
"source": {
"advisory": "GHSA-286p-vc9p-p5qv",
"discovery": "UNKNOWN"
},
"title": "color-string@2.1.1 contains malware after npm account takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59142",
"datePublished": "2025-09-15T19:10:07.595Z",
"dateReserved": "2025-09-09T15:23:16.326Z",
"dateUpdated": "2025-09-15T19:45:39.946Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59141 (GCVE-0-2025-59141)
Vulnerability from cvelistv5 – Published: 2025-09-15 19:09 – Updated: 2025-09-16 13:47- CWE-506 - Embedded Malicious Code
| URL | Tags |
|---|---|
| https://github.com/Qix-/node-simple-swizzle/secur… | x_refsource_CONFIRM |
| https://github.com/debug-js/debug/issues/1005 | x_refsource_MISC |
| https://socket.dev/blog/npm-author-qix-compromise… | x_refsource_MISC |
| https://www.aikido.dev/blog/npm-debug-and-chalk-p… | x_refsource_MISC |
| https://www.ox.security/blog/npm-packages-compromised | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Qix- | node-simple-swizzle |
Affected:
= 0.2.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59141",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-16T13:47:43.689728Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:47:52.535Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "node-simple-swizzle",
"vendor": "Qix-",
"versions": [
{
"status": "affected",
"version": "= 0.2.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "simple-swizzle swizzles function arguments. On 8 September 2025, the npm publishing account for simple-swizzle was taken over after a phishing attack. Version 0.2.3 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker\u0027s own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct \u003cscript\u003e inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt. The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. npm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper. On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. Users should update to the latest patch version, completely remove their node_modules directory, clean their package manager\u0027s global cache, and rebuild any browser bundles from scratch. Those operating private registries or registry mirrors should purge the offending versions from any caches. This issue is resolved in 0.2.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "CWE-506: Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T19:09:58.661Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Qix-/node-simple-swizzle/security/advisories/GHSA-9g9j-rggx-7fmg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Qix-/node-simple-swizzle/security/advisories/GHSA-9g9j-rggx-7fmg"
},
{
"name": "https://github.com/debug-js/debug/issues/1005",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/debug-js/debug/issues/1005"
},
{
"name": "https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack",
"tags": [
"x_refsource_MISC"
],
"url": "https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack"
},
{
"name": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised"
},
{
"name": "https://www.ox.security/blog/npm-packages-compromised",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.ox.security/blog/npm-packages-compromised"
}
],
"source": {
"advisory": "GHSA-9g9j-rggx-7fmg",
"discovery": "UNKNOWN"
},
"title": "simple-swizzle@0.2.3 contains malware after npm account takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59141",
"datePublished": "2025-09-15T19:09:58.661Z",
"dateReserved": "2025-09-09T15:23:16.326Z",
"dateUpdated": "2025-09-16T13:47:52.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.
CAPEC-442: Infected Software
An adversary adds malicious logic, often in the form of a computer virus, to otherwise benign software. This logic is often hidden from the user of the software and works behind the scenes to achieve negative impacts. Many times, the malicious logic is inserted into empty space between legitimate code, and is then called when the software is executed. This pattern of attack focuses on software already fielded and used in operation as opposed to software that is still under development and part of the supply chain.
CAPEC-448: Embed Virus into DLL
An adversary tampers with a DLL and embeds a computer virus into gaps between legitimate machine instructions. These gaps may be the result of compiler optimizations that pad memory blocks for performance gains. The embedded virus then attempts to infect any machine which interfaces with the product, and possibly steal private data or eavesdrop.
CAPEC-636: Hiding Malicious Data or Code within Files
Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover.