JavaScript Debugging Utility Vulnerability in Debug by Qix
CVE-2025-59144

8.8HIGH

Key Information:

Vendor: Debug-js
Status: Debug
Vendor: CVE Published:; 15 September 2025

What is CVE-2025-59144?

The Debug package, a widely used JavaScript debugging utility, was compromised following a phishing attack that led to the publishing of a malicious version. Version 4.4.2 included a payload designed to redirect cryptocurrency transactions to an attacker's addresses when used in browser environments. npm promptly removed the infected package; however, users who encountered this version must take immediate action, including upgrading to version 4.4.3, clearing their node_modules directory, and rebuilding bundles to eliminate the risk. This incident underscores the importance of vigilance in package management and supply chain security.

Affected Version(s)

debug = 4.4.2

References

https://github.com/debug-js/debug/security/advisories/GHS...

x_refsource_CONFIRM

https://github.com/debug-js/debug/issues/1005

x_refsource_MISC

https://socket.dev/blog/npm-author-qix-compromised-in-maj...

x_refsource_MISC

CVSS V4

Score:

8.8

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 15, 2025
Vulnerability Reserved
Sep 9, 2025

Debug-js

What is CVE-2025-59144?

Affected Version(s)

References

CVSS V4

Timeline