Description
On 8 September 2025, the npm publishing account for debug was taken over after a phishing attack. Version 4.4.2 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker’s own addresses from within browser environments.
Recommendation
Update the debug package to the latest compatible version. Followings are version details:
- Affected version(s): = 4.4.2
- Patched version(s): 4.4.3
References
- GHSA-4x49-vf9v-38px
- socket.dev
- www.aikido.dev
- www.ox.security
- CVE-2025-59144
- CWE-506
- CAPEC-310
- OWASP 2021-A6
Related Issues
- SillyTavern: Existing sessions are not invalidated after password change, allowing session reuse and account takeover - CVE-2026-44648
- Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery - CVE-2026-34751
- Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery - payload - CVE-2026-34751
- Payload does not invalidate JWTs after log out - CVE-2025-4643
You might also like:
- Tags:
- npm
- debug
Anything's wrong? Let us know Last updated on September 15, 2025