Color-String npm Package Account Takeover and Malware Injection Vulnerability

A vulnerability in the 'color-string' npm package was introduced after the package's publishing account was compromised through a phishing attack. The malicious version, '2.1.1', added a payload that redirected cryptocurrency transactions to the attacker's wallets, specifically targeting browser environments. This issue has been patched in version '2.1.2'.

Impact

The vulnerability allows for unauthorized interception and manipulation of cryptocurrency transactions, redirecting funds to attacker-controlled addresses.

Reproduction

The vulnerability can be reproduced by including the compromised 'color-string' package version '2.1.1' in a project, and then using a bundling tool that targets browser environments, such as Vite or Rollup. Once the project is built and the malicious version is included in the final bundle, the malware will activate by hooking into standard web APIs and wallet interfaces.

Remediation

Users should update to 'color-string' version '2.1.2', remove the 'node_modules' directory, clean the package manager's global cache, and rebuild any browser bundles from scratch. Those using private registries should purge the compromised version from caches.