CVE-2025-59144 Overview
The debug JavaScript debugging utility on npm was compromised through a supply chain attack on 8 September 2025. Attackers phished the maintainer's npm publishing account and published version 4.4.2 containing a cryptocurrency-stealing payload. The malicious version is functionally identical to the prior release but injects code that redirects cryptocurrency transactions to attacker-controlled wallet addresses in browser environments. The payload targets wallets such as MetaMask. Server-side, command-line, and local Node.js environments are not affected. The compromise is tracked under [CWE-506: Embedded Malicious Code].
Critical Impact
Browser bundles built with the compromised debug@4.4.2 package silently rewrite cryptocurrency transaction destinations, redirecting funds to attacker wallets.
Affected Products
- debug npm package version 4.4.2
- Browser bundles produced with Babel, Rollup, Vite, Next.js, or similar bundlers using the compromised version
- Private npm registries or mirrors that cached debug@4.4.2
Discovery Timeline
- 8 September 2025 - Maintainer npm account compromised via phishing; malicious debug@4.4.2 published; npm removes the package later that day
- 13 September 2025 - Maintainer publishes new patch versions to cache-bust private registries holding the compromised release
- 15 September 2025 - CVE-2025-59144 published to NVD
- 15 April 2026 - Last updated in NVD database
Technical Details for CVE-2025-59144
Vulnerability Analysis
The compromise is a classic npm supply chain attack rather than a code-level flaw in debug itself. The attacker phished the publishing account for the package and pushed a tampered version through the legitimate npm distribution path. Because debug is a transitive dependency of an enormous portion of the JavaScript ecosystem, the malicious build propagated rapidly into downstream applications and prebuilt browser bundles. The malware is dormant outside of browser contexts, so build pipelines and server runtimes did not exhibit obvious behavioral changes during installation or testing.
Root Cause
The root cause is the takeover of the npm publishing account through credential phishing, combined with the absence of strict provenance verification on consumer installs. Once the attacker controlled the publishing identity, they released debug@4.4.2 with a payload added on top of the legitimate codebase. Downstream consumers received the package through normal npm install flows and built it into production bundles.
Attack Vector
The payload activates in browser execution contexts. When loaded via direct <script> inclusion or bundled by tools such as Babel, Rollup, Vite, or Next.js, the malicious code hooks cryptocurrency wallet interactions in the browser. It inspects outbound transactions handled by wallet extensions including MetaMask and rewrites destination addresses to attacker-controlled wallets before signing. The user sees a normal transaction prompt while funds route to the adversary. No verified proof-of-concept code is published; technical details are available in the GitHub Security Advisory GHSA-4x49-vf9v-38px and the Socket research write-up.
Detection Methods for CVE-2025-59144
Indicators of Compromise
- Presence of debug@4.4.2 in package-lock.json, yarn.lock, pnpm-lock.yaml, or any node_modules/debug/package.json
- Cached copies of debug-4.4.2.tgz in private npm registries, registry mirrors, or CI build caches
- Production browser bundles built between 8 September 2025 and the date of remediation that include debug as a dependency
- Outbound traffic from end-user browsers to unfamiliar wallet addresses following transaction signing
Detection Strategies
- Run npm ls debug and npm audit across all repositories and CI pipelines to surface the affected version.
- Scan deployed JavaScript bundles for the malicious payload patterns documented by Aikido and Ox Security.
- Inspect Software Bill of Materials (SBOM) artifacts for debug versions matching 4.4.2.
Monitoring Recommendations
- Alert on any future installs that resolve debug to 4.4.2 from build logs and package manager telemetry.
- Monitor private registry access logs for downloads of the compromised tarball.
- Track browser-side exceptions or unexpected modifications to window.ethereum handlers in client telemetry.
How to Mitigate CVE-2025-59144
Immediate Actions Required
- Upgrade debug to version 4.4.3 or later across all projects.
- Delete the node_modules directory and reinstall dependencies on every affected workstation, server, and CI runner.
- Clean the global package manager cache with npm cache clean --force, yarn cache clean, or pnpm store prune.
- Rebuild and redeploy all browser bundles produced after 8 September 2025 to eliminate any embedded payload.
- Operators of private registries or mirrors must purge debug@4.4.2 from caches to prevent reinstallation.
Patch Information
The maintainer fixed the issue by republishing clean code as debug@4.4.3 on 13 September 2025. The malicious 4.4.2 release was removed from the public npm registry on 8 September 2025. Refer to GitHub Issue #1005 for the maintainer's incident notes.
Workarounds
- Pin debug to a known-good version below 4.4.2 (for example 4.4.1) in lockfiles until upgrades to 4.4.3 are verified.
- Apply Subresource Integrity (SRI) hashes on any browser-loaded <script> includes of debug to block tampered copies.
- Enforce npm package provenance and require signed publishes in CI to reduce exposure to future maintainer-account takeovers.
# Remediation steps
npm uninstall debug
rm -rf node_modules package-lock.json
npm cache clean --force
npm install debug@^4.4.3
npm ls debug # confirm 4.4.3 or later is resolved
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
