CVE-2025-59144

Name of the Vulnerable Software and Affected Versions debug versions 4.4.2

Description The npm publishing account for debug was compromised following a phishing attack on September 8, 2025. Version 4.4.2 was published with a malicious payload designed to redirect cryptocurrency transactions within browser environments. Environments not utilizing the package in a browser context, such as local, server, or command-line applications, are not affected. The malware specifically targets cryptocurrency transactions and wallets like MetaMask.

Recommendations Upgrade to the latest patch version, completely remove the node modules directory, clean the package manager's global cache, and rebuild any browser bundles. Those operating private registries or registry mirrors should purge the compromised versions from any caches. If suspicious behavior persists after performing these steps, contact the package owner via Bluesky at https://bsky.app/profile/bad-at-computer.bsky.social or through the tracking issue on the debug repository at https://github.com/debug-js/debug/issues/1005.