CVE-2025-59143 Overview
CVE-2025-59143 affects the color npm package, a widely used JavaScript color conversion and manipulation library. Attackers compromised the maintainer's npm publishing account through a phishing attack and published version 5.0.1 containing a malicious payload. The compromised version is functionally identical to the previous patch release but injects malware that targets cryptocurrency transactions and wallets such as MetaMask inside browser contexts. The supply chain compromise is tracked under CWE-506: Embedded Malicious Code.
Critical Impact
Browser bundles built with the compromised color@5.0.1 redirect cryptocurrency transactions to attacker-controlled wallet addresses, exposing end-user funds.
Affected Products
- color npm package version 5.0.1
- Browser applications bundled with the compromised version using Webpack, Rollup, Vite, Babel, or Next.js
- Private npm registries and mirrors that cached the malicious version
Discovery Timeline
- 2025-09-08 - npm publishing account compromised via phishing; malicious color@5.0.1 published
- 2025-09-08 - npm removes the offending package from the public registry
- 2025-09-13 - Package owner publishes new patch versions to cache-bust private registries
- 2025-09-15 - CVE-2025-59143 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-59143
Vulnerability Analysis
The color package itself does not contain a code defect. Instead, attackers compromised the maintainer's npm publishing credentials and pushed a tampered release. The malicious 5.0.1 build behaves identically to the legitimate previous patch version at the API level. The injected payload activates only inside browser runtime contexts, leaving Node.js servers, command line tools, and local scripts unaffected.
Once loaded in a browser, the payload hooks cryptocurrency wallet interactions and rewrites transaction destinations. The malware specifically targets web3 providers such as MetaMask, intercepting outgoing transfers and substituting attacker-controlled addresses. Because color is a transitive dependency for thousands of downstream packages, the blast radius extends to any web application that rebuilt bundles while the malicious version was live in the registry.
Root Cause
The root cause is account takeover of an npm maintainer through credential phishing, followed by publication of a trojanized package version. This is a software supply chain attack rather than a code-level flaw, and it abuses the implicit trust placed in npm publishers by downstream consumers.
Attack Vector
The attack vector is dependency resolution. Any build pipeline that ran npm install, yarn install, or pnpm install between 8 September 2025 and the registry removal could pull color@5.0.1 into a browser bundle. The malware then ships to end users through the application's static assets and executes in their browsers when they interact with cryptocurrency wallets. For technical specifics see the GitHub Security Advisory GHSA-qrmh-qg46-72pp and the Socket analysis of the qix maintainer compromise.
Detection Methods for CVE-2025-59143
Indicators of Compromise
- Presence of color@5.0.1 in package-lock.json, yarn.lock, or pnpm-lock.yaml
- Browser bundles built between 2025-09-08 and the registry removal that include the color library
- Outbound web3 transactions in user telemetry where destination addresses do not match user input
- Cached copies of color@5.0.1 in internal Verdaccio, Nexus, Artifactory, or other private registry mirrors
Detection Strategies
- Run npm ls color across all JavaScript projects to enumerate the resolved version
- Scan built JavaScript artifacts in CDNs and static asset stores for the malicious payload signature referenced in the Aikido write-up
- Integrate software composition analysis into CI to fail builds that resolve to color@5.0.1
- Review npm audit logs and lockfile diffs in source control between 8 and 13 September 2025
Monitoring Recommendations
- Alert on dependency lockfile changes that introduce new versions of packages from the affected maintainer's namespace
- Monitor browser-side error and network telemetry for anomalous calls to wallet provider APIs
- Track newly added wallet addresses in transaction logs against known attacker indicator lists published by OX Security
How to Mitigate CVE-2025-59143
Immediate Actions Required
- Upgrade color to version 5.0.2 or later across all projects
- Delete the local node_modules directory and reinstall dependencies from a clean state
- Purge the package manager global cache with npm cache clean --force, yarn cache clean, or pnpm store prune
- Rebuild and redeploy all browser bundles that may have been produced while 5.0.1 was live
- Purge color@5.0.1 from any private registry, registry mirror, or build cache
Patch Information
The issue is resolved in color@5.0.2. The maintainer published additional patch versions on 13 September 2025 specifically to cache-bust private registries that may have mirrored the malicious release. Consumers must verify resolution after upgrading by inspecting lockfiles and rebuilt artifacts.
Workarounds
- Pin color to a known-good version prior to 5.0.1 using exact version constraints in package.json
- Block color@5.0.1 explicitly in registry proxy policies or via tools such as Socket or Snyk
- Require signed commits and two-factor authentication enforcement for all maintainers of internally mirrored packages
# Configuration example
npm install color@^5.0.2
rm -rf node_modules
npm cache clean --force
npm ci
npm ls color
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
