Color JavaScript Library Malware Injection Vulnerability

A supply chain attack has compromised the 'color' JavaScript library, specifically in version 5.0.1, published on September 8, 2025. This version, identical to the previous patch release but with an added malware payload, was introduced after the npm account of the library's author was hijacked through phishing. The malware targets cryptocurrency transactions by redirecting funds to the attacker's wallet addresses, but only when the library is used in a browser environment. npm has removed the malicious version from its registry, and users are advised to update to version 5.0.2, clear their node_modules directory, and rebuild any browser bundles from scratch.

Impact

The injected malware intercepts and manipulates cryptocurrency transactions, redirecting funds to attacker-controlled wallets. This occurs without any visible indication to the user, effectively hijacking the transaction process.

Reproduction

The vulnerability can be reproduced by including the compromised version of the 'color' library in a web application, either directly or through a bundling tool that targets browser environments. Once the application is running, the malware activates by detecting a connected cryptocurrency wallet, such as MetaMask, and begins intercepting transaction requests.

Remediation

Users should update to 'color' version 5.0.2, remove the 'node_modules' directory, clean the package manager's global cache, and rebuild any browser bundles. Those using private registries should purge the compromised versions from their caches.