CVE-2025-59039 Overview
CVE-2025-59039 is a critical software supply chain attack affecting Prebid Universal Creative (PUC), a JavaScript API used to render multiple ad formats. The npm package version 1.17.3 and the latest tag were briefly compromised with crypto-related malware, impacting users who relied on this widely-used advertising technology library. This compromise also affected the extremely popular jsdelivr CDN hosting of the affected file, potentially exposing a significant number of websites and applications to malicious code injection.
Critical Impact
Crypto-related malware was injected into a widely-used npm package affecting ad rendering across potentially thousands of websites using Prebid Universal Creative, including those loading the library from jsdelivr CDN.
Affected Products
- Prebid Universal Creative (PUC) version 1.17.3 (npm)
- Prebid Universal Creative (PUC) latest tag (npm)
- jsdelivr-hosted versions of affected PUC files
Discovery Timeline
- 2025-09-09 - CVE-2025-59039 published to NVD
- 2025-09-11 - Last updated in NVD database
Technical Details for CVE-2025-59039
Vulnerability Analysis
This vulnerability represents a supply chain attack classified under CWE-506 (Embedded Malicious Code). The attack involved the injection of crypto-related malware into the Prebid Universal Creative npm package. PUC is a JavaScript API that enables rendering of multiple ad formats and is commonly used in the programmatic advertising ecosystem. The malware was embedded directly into version 1.17.3 of the package, as well as the dynamically-referenced latest version tag.
The attack is particularly severe because PUC is often loaded dynamically from CDN sources like jsdelivr, meaning that websites did not need to explicitly update their dependencies to receive the malicious code—simply pointing to latest or having jsdelivr cache the compromised version was sufficient for exploitation.
Root Cause
The root cause is embedded malicious code (CWE-506) within the npm package distribution. The attackers successfully compromised the package publication process, allowing them to inject crypto-related malware into what appeared to be a legitimate software update. This type of supply chain attack exploits the trust relationship between package maintainers and consumers who automatically pull updates.
Attack Vector
The attack leverages the network-accessible nature of npm package distribution and CDN delivery. When developers or websites reference PUC version 1.17.3 or the latest tag, they unknowingly download and execute the malicious code. The attack requires no authentication and no user interaction—the malicious payload executes automatically when the compromised JavaScript is loaded by a browser.
The attack flow works as follows:
- Attacker compromises the npm package publication process
- Malicious version 1.17.3 is published to npm registry
- jsdelivr and other CDNs cache the compromised file
- Websites loading PUC from npm or CDN receive the malicious code
- Crypto-related malware executes in visitors' browsers
Detection Methods for CVE-2025-59039
Indicators of Compromise
- Presence of PUC version 1.17.3 in package.json or package-lock.json files
- Network requests to unexpected cryptocurrency-related endpoints from ad-serving JavaScript
- References to the latest version tag for PUC in build configurations or CDN URLs
- Unusual JavaScript behavior within Prebid ad rendering code
Detection Strategies
- Audit npm dependencies for PUC version 1.17.3 using npm audit or similar tools
- Review subresource integrity (SRI) hashes for CDN-loaded JavaScript files
- Monitor network traffic for anomalous connections originating from ad-rendering code
- Implement software composition analysis (SCA) to detect compromised packages
Monitoring Recommendations
- Enable real-time dependency scanning in CI/CD pipelines to detect malicious package versions
- Configure Content Security Policy (CSP) headers to restrict outbound connections from ad scripts
- Monitor client-side JavaScript execution for cryptocurrency mining or wallet-related activity
- Set up alerts for changes to PUC-related dependencies in your projects
How to Mitigate CVE-2025-59039
Immediate Actions Required
- Immediately audit all projects for references to PUC version 1.17.3 and downgrade to 1.17.2
- Remove any references to the latest tag and pin to the safe version 1.17.2
- Clear CDN caches and verify integrity of served JavaScript files
- Review Prebid.js 9 release notes for guidance on migrating away from the deprecated PUC workflow
Patch Information
The Prebid maintainers have unpublished version 1.17.3 from npm. Users should immediately transition to version 1.17.2, which is not affected by the malware injection. For long-term remediation, the Prebid team recommends reviewing the Prebid.js 9 release notes for suggestions on moving away from the deprecated workflow of using PUC or pointing to dynamic versions.
For additional context on this supply chain attack pattern, see the Sonatype analysis of npm supply chain attacks.
Workarounds
- Pin dependencies to version 1.17.2 explicitly rather than using version ranges or latest tags
- Implement Subresource Integrity (SRI) hashes for all externally-loaded JavaScript files
- Consider self-hosting critical JavaScript dependencies rather than relying on CDN dynamic versioning
- Migrate to the updated Prebid.js 9 workflow that does not depend on the deprecated PUC architecture
# Configuration example
# Update package.json to pin safe version
npm install prebid-universal-creative@1.17.2 --save-exact
# Verify installed version
npm list prebid-universal-creative
# Generate SRI hash for self-hosted files
openssl dgst -sha384 -binary prebid-universal-creative.js | openssl base64 -A
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
