CVE-2025-59331
BaseFortify
Publication date: 2025-09-15
Last updated on: 2025-09-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ansi-styles | ansi-styles | 6.2.2 |
| proto-tinker-wc | proto-tinker-wc | 1.8.7 |
| color-convert | color-convert | 3.1.1 |
| supports-color | supports-color | 10.2.1 |
| color-string | color-string | 2.1.1 |
| wrap-ansi | wrap-ansi | 9.0.1 |
| chalk-template | chalk-template | 1.1.1 |
| ansi-regex | ansi-regex | 6.2.1 |
| strip-ansi | strip-ansi | 7.1.1 |
| supports-hyperlinks | supports-hyperlinks | 4.1.1 |
| error-ex | error-ex | 1.3.3 |
| simple-swizzle | simple-swizzle | 0.2.3 |
| chalk | chalk | 5.6.1 |
| qix | is-arrayish | 0.3.4 |
| has-ansi | has-ansi | 6.0.1 |
| debug-js | debug | 4.4.2 |
| color-name | color-name | 2.0.1 |
| slice-ansi | slice-ansi | 7.1.1 |
| qix | is-arrayish | 0.3.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-506 | The product contains code that appears to be malicious in nature. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-59331 is a vulnerability in the npm package is-arrayish where the attacker's phishing attack led to the takeover of the package's publishing account. The attacker published version 0.3.3 containing malware that intercepts and redirects cryptocurrency transactions within browser environments to the attacker's addresses. This malware targets wallets like MetaMask and affects only browser contexts, not local, server, or command-line environments. The compromised version was removed from npm, and a clean patch version 0.3.4 was released to fix the issue. [1]
How can this vulnerability impact me? :
If you use the is-arrayish package in a browser environment, this vulnerability can lead to malware redirecting your cryptocurrency transactions to an attacker's wallet, potentially causing financial loss. Local, server, or command-line uses are not affected. Users with affected browser bundles need to update to version 0.3.4, clear caches, and rebuild bundles to remove the malware. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves identifying if the compromised version 0.3.3 of is-arrayish is present in browser bundles or projects. You can check your package.json and package-lock.json or yarn.lock files for is-arrayish version 0.3.3. Additionally, search your built browser bundles for suspicious code related to cryptocurrency transaction redirection. Commands to detect the compromised package version include: `npm ls is-arrayish` or `yarn list is-arrayish`. To search for the malware payload in bundles, you might use `grep -r 'is-arrayish' ./dist` or similar in your build output directories. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Update is-arrayish to version 0.3.4 or later. 2) Completely remove your node_modules directory. 3) Clear your package manager's global cache (e.g., `npm cache clean --force` or `yarn cache clean`). 4) Rebuild all browser bundles from scratch to ensure no compromised code remains. 5) If you operate private registries or mirrors, purge the compromised version 0.3.3 from caches. These steps ensure removal of the malware payload and prevent further infection. [1]