PT-2025-37744 · Npm · Color-String
Qix
·
Published
2025-09-08
·
Updated
2025-09-20
·
CVE-2025-59142
CVSS v4.0
8.8
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red |
Name of the Vulnerable Software and Affected Versions
color-string version 2.1.1
Description
The npm publishing account for color-string was compromised following a phishing attack. Version 2.1.1 was published with a malicious payload designed to redirect cryptocurrency transactions within browser environments. The malware specifically targets cryptocurrency transactions and wallets such as MetaMask. Local, server, and command-line environments are not affected.
Recommendations
Update to version 2.1.2.
Completely remove the
node modules directory.
Clean the package manager's global cache.
Rebuild any browser bundles from scratch.
Purge the compromised versions from any private registry caches.Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Color-String