Key Information Vulnerability Description - Package Name: color-name (npm) - Affected Versions: 2.0.1 - Fixed Version: 2.0.2 - Severity: Critical - CVE ID: CVE-2025-59145 - Weakness: CWE-506 Impact - On September 8, 2025, the npm publishing account for color-name was compromised following a phishing attack. The released version 2.0.1 contained malware designed to redirect cryptocurrency transactions in browser environments to the attacker’s address. - Local environments, server environments, and command-line applications are unaffected. However, if used in a browser context (e.g., directly via tag or through bundlers like Babel, Rollup, Vite, Next.js), the malware may still be present and requires re-bundling. Remediation - npm has removed the malicious package from the registry to prevent further downloads. - On September 13, 2025, the package owner released a new patch version to help clear caches in private registries. - Users should upgrade to the latest patched version, completely delete the directory, clear the global cache of their package manager, and rebuild any browser bundles from scratch. References - Aikido Dev Blog - Socket Dev Blog - Ox Security Blog Contact Points - Compromised publishing account owner: Bluesky - debug repository issue tracking: debug-js/debug#1005