JavaScript Vulnerability in Color Conversion Tool by Qix
CVE-2025-59162

8.8HIGH

Key Information:

Vendor

Qix-

Status
Color-convert
Vendor
CVE Published:
15 September 2025

What is CVE-2025-59162?

The color-convert library, known for its plain color conversion functionality in JavaScript, was compromised following a phishing attack on its npm publishing account on September 8, 2025. The attacker published version 3.1.1, which mimicked the previous version but contained a malicious payload aimed at redirecting cryptocurrency transactions via browser environments. Although local and server environments remain unaffected, users who integrated the impacted version within browser contexts are at risk, particularly those utilizing popular bundling tools like Babel and Rollup. Following the disclosure, npm promptly removed the malicious package, but users are urged to upgrade to version 3.1.2, delete any existing node_modules directories, purge package manager caches, and rebuild affected browser bundles to mitigate risks associated with the malware targeting cryptocurrency wallets like MetaMask.

Affected Version(s)

color-convert = 3.1.1

References

https://github.com/Qix-/color-convert/security/advisories...
x_refsource_CONFIRM
https://github.com/debug-js/debug/issues/1005
x_refsource_MISC
https://socket.dev/blog/npm-author-qix-compromised-in-maj...
x_refsource_MISC

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-59162 : JavaScript Vulnerability in Color Conversion Tool by Qix