npm, Supply Chain Compromise, CVE-2025-XXXX (Critical)

Listen to this Post

The attacker gained access to the maintainer’s npm account via a phishing campaign. Upon account takeover, they published a malicious version (5.0.1) of the ‘color’ library. This version contained obfuscated JavaScript code designed to evade initial detection. When included in a browser-based application bundle, the payload would activate. It specifically targeted the global `window` object, attempting to intercept and modify outgoing Web3 transactions initiated by popular Ethereum wallets like MetaMask. The malicious script searched for transaction objects and, if found, replaced the recipient’s address (to field) with an attacker-controlled address, thereby diverting funds. The payload was engineered to be inert in non-browser environments (Node.js, CLI), limiting its detectability during development and testing phases.
Platform: npm
Version: 5.0.1
Vulnerability: Supply Chain
Severity: Critical

date: 2025-09-08

Prediction: 2025-09-13

What Undercode Say:

`npm cache clean –force`

`rm -rf node_modules/ package-lock.json`

`npm install [email protected]`

How Exploit:

Malicious version published.

Targets browser Web3 globals.

Modifies transaction `to` address.

Protection from this CVE:

Update to 5.0.2+.

Purge npm caches.

Rebuild all bundles.

Impact:

Browser bundles compromised.

Cryptocurrency theft.

Requires full rebuild.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top