CVE-2025-59145 Overview
CVE-2025-59145 is a supply chain attack affecting the color-name npm package, a widely-used JSON module containing CSS color names. Following a successful phishing attack on September 8, 2025, an attacker gained control of the npm publishing account and released version 2.0.1 containing embedded malware. While functionally identical to the legitimate previous patch version, the compromised release included a malicious payload designed to intercept and redirect cryptocurrency transactions to attacker-controlled wallet addresses within browser environments.
Critical Impact
Cryptocurrency wallet hijacking through supply chain compromise affecting browser-based applications using the color-name package via bundlers like Babel, Rollup, Vite, and Next.js.
Affected Products
- color-name npm package version 2.0.1
- Browser-based applications bundled with the compromised package
- Projects using bundlers (Babel, Rollup, Vite, Next.js) that included the malicious version
Discovery Timeline
- September 8, 2025 - Malicious version 2.0.1 published to npm following account compromise
- September 8, 2025 - npm removed the offending package from the registry
- September 13, 2025 - Package owner published new patch versions to help cache-bust private registries
- September 15, 2025 - CVE-2025-59145 published to NVD
- September 16, 2025 - Last updated in NVD database
Technical Details for CVE-2025-59145
Vulnerability Analysis
This vulnerability represents a supply chain attack (CWE-506: Embedded Malicious Code) where an attacker successfully compromised a legitimate npm package maintainer's publishing credentials through phishing. The attack specifically targets browser environments where the package may be included directly via <script> tags or bundled using popular JavaScript build tools.
The malware payload operates by monitoring cryptocurrency transaction activity within the browser context. When transactions are detected, particularly those involving wallets like MetaMask, the malicious code attempts to silently redirect funds to wallet addresses controlled by the attacker. Server-side environments, local Node.js applications, and command-line tools are not affected by this vulnerability.
Root Cause
The root cause of this vulnerability is a compromised npm publishing account obtained through a phishing attack. This allowed the attacker to publish a modified version of the color-name package with an embedded cryptocurrency-stealing payload. The attack exploited the trust relationship inherent in the npm package ecosystem, where downstream consumers automatically pull updated packages without verifying their integrity against known-good states.
Attack Vector
The attack vector is network-based, requiring no user interaction beyond the normal dependency installation and application execution flow. The compromised package is delivered through the npm registry, which is the standard distribution channel for JavaScript packages. Once a victim's project pulls in version 2.0.1 and bundles it for browser deployment, the malware becomes active within end-user browser sessions.
The malware specifically monitors for cryptocurrency wallet interactions and transaction signing events. When detected, it modifies transaction parameters to redirect funds to attacker-controlled addresses. This form of supply chain attack is particularly insidious as it leverages the legitimate software distribution chain to deliver malicious payloads.
Detection Methods for CVE-2025-59145
Indicators of Compromise
- Presence of color-name version 2.0.1 in package-lock.json, yarn.lock, or pnpm-lock.yaml files
- Unexpected network requests to unknown cryptocurrency-related endpoints from browser applications
- Browser bundles containing code referencing wallet interception or transaction modification logic
- MetaMask or other wallet transaction recipients not matching expected addresses
Detection Strategies
- Audit project dependencies using npm audit or equivalent package manager security tools
- Review lock files for the specific compromised version 2.0.1 of color-name
- Implement Software Composition Analysis (SCA) scanning in CI/CD pipelines to detect known vulnerable packages
- Monitor browser application network traffic for anomalous outbound connections during cryptocurrency operations
Monitoring Recommendations
- Enable real-time dependency vulnerability scanning with tools like Socket, Snyk, or npm audit
- Implement integrity checking for npm packages using cryptographic verification
- Configure private registry mirroring with automatic vulnerability blocking policies
- Monitor user reports of unexpected cryptocurrency transaction behavior in browser applications
How to Mitigate CVE-2025-59145
Immediate Actions Required
- Update color-name to version 2.0.2 or the latest available patch version immediately
- Completely remove the node_modules directory from all affected projects
- Clean your package manager's global cache (npm cache clean --force or equivalent)
- Rebuild all browser bundles from scratch to eliminate any cached malicious code
Patch Information
The vulnerability is resolved in color-name version 2.0.2, which was published on September 13, 2025. Users should update to this version or later. Organizations operating private npm registries or registry mirrors must purge versions 2.0.1 from their caches to prevent continued distribution of the compromised package. For detailed technical analysis of the malware payload, refer to the GitHub Security Advisory, Socket Blog Analysis, and Aikido Blog Post.
Workarounds
- Pin dependencies to known-good versions prior to 2.0.1 until upgrading to 2.0.2
- Implement lock file verification in CI/CD to detect unexpected dependency changes
- Use npm's --ignore-scripts flag during installation to prevent post-install script execution (though this may break legitimate functionality)
- Consider implementing Subresource Integrity (SRI) for any CDN-delivered JavaScript dependencies
# Remediation steps
# 1. Update to patched version
npm install color-name@2.0.2
# 2. Remove node_modules completely
rm -rf node_modules
# 3. Clean npm cache
npm cache clean --force
# 4. Reinstall dependencies
npm install
# 5. Rebuild browser bundles
npm run build
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
