Listen to this Post
The CVE-2025-XXXX vulnerability was not a traditional code flaw but a software supply chain attack. A threat actor gained control of the `prebid-universal-creative` npm package maintainer account. They then published a malicious version (1.17.3) of the package. This compromised version contained obfuscated JavaScript code designed to steal cryptocurrency from users’ web browsers by intercepting clipboard content and replacing cryptocurrency wallet addresses with ones controlled by the attacker. The malicious package was available through the npm registry and the popular jsDelivr CDN, amplifying its potential impact on the advertising ecosystem.
Platform: npm
Version: 1.17.3
Vulnerability: Supply Chain
Severity: Critical
date: 2025-09-09
Prediction: Patched 2025-09-09
What Undercode Say:
`npm audit`
`npm unpublish`
`curl https://cdn.jsdelivr.net/npm/[email protected]/dist/creative.js`
`grep -i “clipboard” creative.js`
How Exploit:
Malicious npm package publish.
Protection from this CVE:
Pin dependencies, Use lockfiles.
Impact:
Cryptocurrency theft, Data exfiltration.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
