Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Malicious package compromise in color-name 2.0.1

IdentifiersCVE-2025-59145CWE-94

The provided content describes a supply-chain compromise of the npm package color-name rather than a conventional implementation flaw in the package itself. After the maintainer's npm publishing account was phished on 8 September 2025, an attacker published color-name version 2.0.1 containing a malicious payload while keeping the package otherwise functionally identical to the prior patch release. The injected code targeted browser-executed builds and attempted to redirect cryptocurrency transactions, including interactions with wallets such as MetaMask, to attacker-controlled addresses. According to the content, local environments, server environments, and command-line applications were not affected. The issue was resolved in version 2.0.2, with additional patch releases published to help invalidate cached compromised copies in private registries and mirrors.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exposure to the compromised package in a browser context could allow attacker-controlled JavaScript embedded in application bundles to tamper with cryptocurrency transaction flows and redirect transfers to attacker-owned wallet addresses. The impact is therefore theft or diversion of cryptocurrency assets and compromise of transaction integrity in affected browser-based applications. The content does not indicate impact to non-browser execution contexts such as local scripts, servers, or CLI tooling.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, prevent installation or resolution of color-name 2.0.1 in dependency management and private registry infrastructure, purge mirrored or cached artifacts, and rebuild any browser-delivered assets known or suspected to include the compromised package. Because the payload only affects browser contexts, prioritize identifying applications that bundled the package into client-side JavaScript and review cryptocurrency-related functionality and wallet interactions for possible tampering.

Remediation

Patch, then assume compromise.

Upgrade from the compromised version to 2.0.2 or later patched releases published by the legitimate maintainer. Completely remove node_modules, clear the package manager's global cache, and rebuild browser bundles from scratch to ensure the malicious code is not retained in previously generated artifacts. Operators of private registries or registry mirrors should purge cached copies of the offending version so downstream consumers cannot continue to install or resolve it.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
npm, Inc.Color-Nameapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity8

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-59145
NVD
nvd.nist.gov/vuln/detail/CVE-2025-59145
MITRE CWE · CWE-94
cwe.mitre.org
github.com
github.com/colorjs/color-name/security/advisories/GHSA-5fvm-p68v-5wmh
github.com
github.com/debug-js/debug/issues/1005
socket.dev
socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack
aikido.dev
aikido.dev/blog/npm-debug-and-chalk-packages-compromised
ox.security
ox.security/blog/npm-packages-compromised