CVE-2025-59038 Overview
CVE-2025-59038 affects Prebid.js, an open source header bidding library used by publishers to manage programmatic advertising. The NPM-distributed version 10.9.2 was briefly compromised through a software supply chain attack. The malicious code injected into the package attempts to redirect cryptocurrency transactions on affected sites to attacker-controlled wallets. The maintainers released version 10.10.0 to remediate the issue. This vulnerability is classified as embedded malicious code [CWE-506] and falls under the broader npm supply chain compromise that impacted multiple JavaScript packages.
Critical Impact
Publishers using the compromised Prebid.js 10.9.2 package risk silent redirection of cryptocurrency transactions from site visitors to attacker wallets, with high confidentiality, integrity, and availability impact on browser sessions.
Affected Products
- Prebid.js version 10.9.2 distributed via NPM
- Web publishers integrating the compromised package into client-side bundles
- Site visitors interacting with cryptocurrency transactions on affected publisher sites
Discovery Timeline
- 2025-09-09 - CVE-2025-59038 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-59038
Vulnerability Analysis
The vulnerability stems from a supply chain compromise of the Prebid.js NPM package, not a flaw in the library's source logic. Attackers published a tainted 10.9.2 build containing embedded malicious JavaScript designed to manipulate cryptocurrency wallet interactions in the browser. The campaign is tied to the broader npm chalk and debug package compromise documented by Sonatype. Because Prebid.js executes in the client-side context of publisher websites, the injected code runs with full DOM access on every page that loads the library.
Root Cause
The root cause is the inclusion of attacker-controlled malicious code in a trusted dependency [CWE-506]. A publishing account or release pipeline associated with the affected npm packages was abused to push a backdoored build. Consumers pulling prebid@10.9.2 from the registry received the trojanized artifact through normal npm install operations.
Attack Vector
The attack requires user interaction on a site that loads the compromised script. When a visitor initiates a cryptocurrency transaction, the malicious payload intercepts wallet calls and rewrites destination addresses to attacker-owned wallets. The injection acts as a clipper-style threat: it monitors for crypto-related API calls or DOM elements, swaps target addresses transparently, and surfaces no error to the victim. See the Prebid GitHub Security Advisory and the Sonatype analysis of the npm supply chain attack for technical details on the injected payload.
Detection Methods for CVE-2025-59038
Indicators of Compromise
- Presence of prebid@10.9.2 in package-lock.json, yarn.lock, or node_modules manifests
- Outbound browser requests to unfamiliar wallet addresses or domains tied to the npm chalk/debug compromise cluster
- Unexpected modifications to wallet address strings in client-side cryptocurrency transaction flows
- Build artifacts or CDN-hosted bundles containing the compromised Prebid.js source
Detection Strategies
- Audit dependency trees with npm ls prebid and CI/CD SBOM tooling to flag the 10.9.2 version.
- Compare hashes of deployed prebid.js bundles against the official 10.10.0 release artifacts.
- Inspect production JavaScript bundles for obfuscated wallet-address regex patterns or window.ethereum hooking consistent with the published campaign IOCs.
Monitoring Recommendations
- Enable Content Security Policy (CSP) reporting and Subresource Integrity (SRI) on third-party scripts to surface unauthorized changes.
- Monitor egress traffic from publisher domains for anomalous connections triggered by client-side scripts.
- Track npm registry advisories and integrate automated dependency scanning into pull request checks.
How to Mitigate CVE-2025-59038
Immediate Actions Required
- Upgrade Prebid.js to version 10.10.0 or later across all build pipelines and CDN-hosted bundles.
- Purge cached copies of prebid@10.9.2 from internal mirrors, edge caches, and developer workstations.
- Rotate any credentials, API keys, or wallet keys that may have been exposed via affected sessions.
- Notify users who transacted during the exposure window and review wallet transaction logs for redirection.
Patch Information
Upgrade to Prebid.js 10.10.0, which removes the malicious code introduced in 10.9.2. The fix is published through the upstream npm registry and the official Prebid GitHub Security Advisory.
Workarounds
- Downgrade to Prebid.js 10.9.1, which predates the compromised release and is confirmed clean by the maintainers.
- Pin dependency versions explicitly in package.json and enforce npm ci with verified package-lock.json hashes.
- Apply Subresource Integrity (SRI) hashes when loading Prebid.js from a CDN to block tampered bundles at the browser level.
# Configuration example
npm install prebid@10.10.0 --save-exact
npm ci
npm audit --production
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
