Description
On 8 September 2025, the npm publishing account for debug was taken over after a phishing attack. Version 4.4.2 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker’s own addresses from within browser environments.
Recommendation
Update the debug package to the latest compatible version. Followings are version details:
- Affected version(s): = 4.4.2
- Patched version(s): 4.4.3
References
- GHSA-4x49-vf9v-38px
- socket.dev
- www.aikido.dev
- www.ox.security
- CVE-2025-59144
- CWE-506
- CAPEC-310
- OWASP 2021-A6
Related Issues
- cors-anywhere vulnerable to server-side request forgery - CVE-2020-36851
- Trix vulnerable to Cross-site Scripting on copy & paste - CVE-2025-46812
- Froala WYSIWYG editor allows cross-site scripting (XSS) - CVE-2024-51434
- Vue I18n Allows Prototype Pollution in `handleFlatJson` - CVE-2025-27597
- Tags:
- npm
- debug
Anything's wrong? Let us know Last updated on September 15, 2025