CVE-2025-59140 Overview
CVE-2025-59140 affects the backslash npm package, which parses collected strings with escapes. On 8 September 2025, attackers took over the maintainer's npm publishing account through a phishing attack. The threat actor published version 0.2.1, functionally identical to the prior release but carrying a malware payload that redirects cryptocurrency transactions to attacker-controlled wallet addresses inside browser environments. The malicious payload specifically targets browser-based crypto wallets such as MetaMask. Server-side, command-line, and local Node.js usage is not affected. npm removed the compromised version on the same day, and maintainers later released 0.2.2 to resolve the issue and cache-bust private registry mirrors.
Critical Impact
Browser bundles built with the compromised backslash@0.2.1 package silently rewrite cryptocurrency transaction destinations, redirecting funds to attacker wallets without user awareness.
Affected Products
- backslash npm package version 0.2.1
- Browser bundles built with bundlers such as Babel, Rollup, Vite, or Next.js that include the compromised version
- Private npm registries and mirrors caching the compromised version
Discovery Timeline
- 8 September 2025 - npm publishing account compromised via phishing; malicious 0.2.1 published and later removed by npm
- 13 September 2025 - Package owner published new patch versions to cache-bust private registries
- 2025-09-15 - CVE-2025-59140 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-59140
Vulnerability Analysis
The issue is classified under [CWE-506] Embedded Malicious Code. The legitimate backslash package logic was preserved in version 0.2.1, which allowed the trojanized release to pass functional tests and reach downstream consumers. Attackers injected a payload that activates only in browser execution contexts, evading detection in typical CI pipelines that run Node.js unit tests. Once bundled into a web application, the payload hooks cryptocurrency wallet APIs and transaction-signing flows. It intercepts outbound transactions and substitutes destination addresses with attacker-controlled wallets before the user confirms the transfer.
Root Cause
The root cause is a maintainer account compromise rather than a code-level defect. A phishing campaign harvested credentials for the npm account responsible for backslash, granting the attacker authority to publish trojanized versions to the public registry. The npm ecosystem's trust model assumes maintainer accounts remain under legitimate control, so any package consumer that resolved 0.2.1 automatically pulled the malicious payload through normal dependency resolution.
Attack Vector
Exploitation is passive from the victim's perspective. Developers installing or updating dependencies that resolve to backslash@0.2.1 ingested the payload through npm install. When the resulting JavaScript executed inside a browser, the malware inspected the global environment for wallet objects such as window.ethereum and hooked transaction APIs to rewrite recipient addresses. The malware did not execute in Node.js server or CLI contexts, narrowing the blast radius to web front-ends. See the GitHub Security Advisory and the Socket.dev Supply Chain Attack Analysis for additional payload details.
Detection Methods for CVE-2025-59140
Indicators of Compromise
- Presence of backslash@0.2.1 in package-lock.json, yarn.lock, or pnpm-lock.yaml
- Browser bundles containing obfuscated code referencing wallet provider objects such as window.ethereum injected by the malicious payload
- Outbound cryptocurrency transactions with substituted destination addresses observed by end users
- Cached copies of backslash@0.2.1 in private registry mirrors or proxy caches
Detection Strategies
- Run software composition analysis across all repositories to flag any direct or transitive dependency on backslash@0.2.1
- Compare deployed browser bundle hashes against known-good builds produced before 8 September 2025
- Audit npm registry mirror caches and CDN-hosted artifacts for the compromised version
- Review CI/CD logs for installations of backslash@0.2.1 between 8 September and the registry takedown
Monitoring Recommendations
- Monitor application telemetry for unexpected hooks on wallet APIs inside front-end JavaScript
- Track outbound traffic from build infrastructure for connections to unknown domains during bundling
- Enable npm audit signals and dependency drift alerts in development pipelines
- Subscribe to GitHub Security Advisories for ecosystem-level supply chain events
How to Mitigate CVE-2025-59140
Immediate Actions Required
- Upgrade backslash to version 0.2.2 or later across all projects and lockfiles
- Delete node_modules directories and reinstall dependencies from a clean state
- Purge global package manager caches with npm cache clean --force, yarn cache clean, or pnpm store prune
- Rebuild and redeploy any browser bundles produced while 0.2.1 was available
- Notify users of affected web applications and recommend reviewing recent cryptocurrency transactions
Patch Information
The issue is resolved in backslash@0.2.2. The maintainer published this version on 13 September 2025 to cache-bust private registries that may still hold the compromised artifact. Refer to the GitHub Security Advisory GHSA-53mq-f4w3-f7qv for the official fix details.
Workarounds
- Pin backslash to a known-clean version prior to 0.2.1 if upgrade is blocked
- Purge the compromised version from any private registry, Verdaccio, Nexus, or Artifactory cache
- Enforce package signing verification and require two-factor authentication for all npm publish operations
- Use lockfile linting to block reintroduction of backslash@0.2.1 in future builds
# Configuration example
npm uninstall backslash
rm -rf node_modules package-lock.json
npm cache clean --force
npm install backslash@^0.2.2
npm rebuild
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
