High

Malicious browser-targeting payload in debug 4.4.2

IdentifiersCVE-2025-59144CWE-506· Embedded Malicious Code

CVE-2025-59144 concerns a supply-chain compromise of the npm package debug. After the maintainer's npm publishing account was phished and taken over on 2025-09-08, an attacker published debug version 4.4.2. The package was functionally equivalent to the prior patch release but included an added malicious payload. The malicious code was intended to execute in browser contexts and attempt to redirect cryptocurrency transactions to attacker-controlled wallet addresses, reportedly targeting wallets and transaction flows such as MetaMask. According to the provided content, local development environments, server-side environments, and command-line applications were not affected by the payload's behavior. The issue was resolved in version 4.4.3, and subsequent patch releases were also published to help invalidate cached compromised artifacts in private registries and mirrors.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exposure to the compromised package can result in client-side tampering of cryptocurrency transactions in browser-delivered applications that bundled or directly included debug 4.4.2. The primary impact described is redirection of cryptocurrency transfers to attacker-controlled addresses, which can lead to theft of digital assets and loss of transaction integrity. The impact is limited to browser-executed bundles containing the compromised version; the provided content states that local environments, server environments, and CLI applications are not affected.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade and rebuild are not yet complete, prevent use of debug 4.4.2 in browser-delivered applications by pinning or blocking that version in dependency management and private registries. Purge registry mirrors and CI/CD caches to stop reintroduction of the compromised artifact. Review browser bundles and front-end build outputs for inclusion of debug 4.4.2, especially in applications interacting with cryptocurrency wallets or transaction signing flows. As broader supply-chain hardening, enforce provenance/signing where available, restrict approved package sources, and monitor for unauthorized dependency changes in front-end builds.

Remediation

Patch, then assume compromise.

Upgrade from debug 4.4.2 to a fixed patch release, specifically 4.4.3 or later as indicated in the content. Completely remove node_modules, clear the package manager's global cache, and rebuild all browser bundles from scratch to ensure the malicious code is not retained in previously generated artifacts. Organizations operating private registries or registry mirrors should purge cached copies of the compromised version. Any deployed browser assets built with 4.4.2 should be replaced with freshly rebuilt artifacts based on the fixed version.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

aws security blogNews

May 26, 2026

Well-architected best practices for software supply chain security | AWS Security Blog

A specific malicious-package/supply-chain compromise identifier associated with the Shai-Hulud incident; the content presents it as an identified compromised package finding rather than a traditional software flaw.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-59144

NVD

nvd.nist.gov/vuln/detail/CVE-2025-59144

MITRE CWE · CWE-506

Embedded Malicious Code

github.com

github.com/debug-js/debug/issues/1005

github.com

github.com/debug-js/debug/security/advisories/GHSA-4x49-vf9v-38px

socket.dev

socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack

aikido.dev

aikido.dev/blog/npm-debug-and-chalk-packages-compromised

ox.security

ox.security/blog/npm-packages-compromised