CVE-2025-59141
BaseFortify
Publication date: 2025-09-15
Last updated on: 2025-09-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| qix | simple_swizzle | 0.2.4 |
| slice_ansi | slice_ansi | 7.1.1 |
| wrap_ansi | wrap_ansi | 9.0.1 |
| qix | simple_swizzle | 0.2.3 |
| debug | debug | 4.4.2 |
| color_string | color_string | 2.1.1 |
| chalk_template | chalk_template | 1.1.1 |
| strip_ansi | strip_ansi | 7.1.1 |
| supports_hyperlinks | supports_hyperlinks | 4.1.1 |
| color_convert | color_convert | 3.1.1 |
| color_name | color_name | 2.0.1 |
| chalk | chalk | 5.6.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-506 | The product contains code that appears to be malicious in nature. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-59141 is a vulnerability in the npm package simple-swizzle version 0.2.3, which was compromised after the maintainer's npm publishing account was taken over via a phishing attack. The attacker published a malicious version that was functionally identical to the previous one but included malware designed to redirect cryptocurrency transactions to attacker-controlled addresses when used in browser environments. This malware specifically targets cryptocurrency wallets like MetaMask and operates only in browser contexts, not affecting local, server, or command-line environments. The compromised package was removed from npm, and a patched version 0.2.4 was released to fix the issue. Users are advised to update, clear caches, and rebuild browser bundles to remove the malware. [1]
How can this vulnerability impact me? :
If you use the simple-swizzle package version 0.2.3 in a browser environment (such as through direct script inclusion or bundling tools like Babel, Rollup, Vite, Next.js), this vulnerability can redirect your cryptocurrency transactions to attacker-controlled addresses, resulting in theft of your cryptocurrency funds. Local, server, or command-line uses of the package are not affected. The malware targets wallets like MetaMask and can cause financial loss by hijacking crypto payments. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves checking if your project or bundles include the compromised simple-swizzle version 0.2.3, especially in browser contexts. You can inspect your package-lock.json or yarn.lock files for [email protected]. Additionally, scanning your built browser bundles for suspicious code that redirects cryptocurrency transactions may help. Commands to detect the compromised package version include: 1. Using npm or yarn to check installed versions: - npm ls simple-swizzle - yarn list simple-swizzle 2. Searching for the compromised version in lock files: - grep '[email protected]' package-lock.json - grep '[email protected]' yarn.lock 3. Searching built bundles for suspicious strings or addresses related to cryptocurrency redirection (e.g., attacker addresses) using grep or similar tools: - grep -r '0x' dist/ Note that the malware only activates in browser environments and targets cryptocurrency wallets like MetaMask, so local or server-side detection may not reveal it directly. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Update simple-swizzle to version 0.2.4 or later, which removes the malicious payload. 2. Completely remove your node_modules directory to eliminate the compromised package. 3. Clear your package manager's global cache (e.g., npm cache clean --force). 4. Rebuild all browser bundles from scratch to ensure no compromised code remains. 5. If you operate private registries or mirrors, purge any cached copies of the compromised version 0.2.3. Following these steps will remove the malware that redirects cryptocurrency transactions in browser environments. [1]