JavaScript Debugging Utility Vulnerability in Debug by Qix
CVE-2025-59144

8.8HIGH

Key Information:

Vendor

Debug-js

Status
Debug
Vendor
CVE Published:
15 September 2025

What is CVE-2025-59144?

The Debug package, a widely used JavaScript debugging utility, was compromised following a phishing attack that led to the publishing of a malicious version. Version 4.4.2 included a payload designed to redirect cryptocurrency transactions to an attacker's addresses when used in browser environments. npm promptly removed the infected package; however, users who encountered this version must take immediate action, including upgrading to version 4.4.3, clearing their node_modules directory, and rebuilding bundles to eliminate the risk. This incident underscores the importance of vigilance in package management and supply chain security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

debug = 4.4.2

References

https://github.com/debug-js/debug/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/debug-js/debug/issues/1005
x_refsource_MISC
https://socket.dev/blog/npm-author-qix-compromised-in-maj...
x_refsource_MISC

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.