Description
On 8 September 2025, the npm publishing account for debug was taken over after a phishing attack. Version 4.4.2 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker’s own addresses from within browser environments.
Recommendation
Update the debug package to the latest compatible version. Followings are version details:
- Affected version(s): = 4.4.2
- Patched version(s): 4.4.3
References
- GHSA-4x49-vf9v-38px
- socket.dev
- www.aikido.dev
- www.ox.security
- CVE-2025-59144
- CWE-506
- CAPEC-310
- OWASP 2021-A6
Related Issues
- Nu Html Checker (vnu) contains a Server-Side Request Forgery (SSRF) vulnerability - CVE-2025-15104
- Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia (GHSA-7f2v-3qq3-vvjf) - CVE-2025-59840
- Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia (GHSA-7f2v-3qq3-vvjf) 2 - CVE-2025-59840
- Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia - CVE-2025-59840
- Tags:
- npm
- debug
Anything's wrong? Let us know Last updated on September 15, 2025