Description
On 8 September 2025, the npm publishing account for debug was taken over after a phishing attack. Version 4.4.2 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker’s own addresses from within browser environments.
Recommendation
Update the debug package to the latest compatible version. Followings are version details:
- Affected version(s): = 4.4.2
- Patched version(s): 4.4.3
References
- GHSA-4x49-vf9v-38px
- socket.dev
- www.aikido.dev
- www.ox.security
- CVE-2025-59144
- CWE-506
- CAPEC-310
- OWASP 2021-A6
Related Issues
- Feathers has an OAuth Callback Account Takeover issue - CVE-2026-29792
- Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter - CVE-2026-27804
- Parse Server OAuth2 authentication adapter account takeover via identity spoofing - CVE-2026-30967
- Feathers has an open redirect in OAuth callback enables account takeover - CVE-2026-27191
- Tags:
- npm
- debug
Anything's wrong? Let us know Last updated on September 15, 2025