Color-Name Package in npm Registry Hijacked to Include Cryptocurrency Wallet-Draining Malware

A phishing attack led to the takeover of an npm publishing account for the 'color-name' package, which is a JSON file containing CSS color names. The compromised version 2.0.1 was published on September 8, 2025, introducing malware that targeted cryptocurrency transactions by redirecting funds to the attacker's wallet addresses. This malicious version was active in browser environments, including those using bundling tools like Babel, Rollup, Vite, and Next.js. The malware specifically aimed at wallets such as MetaMask, and could still be present in browser bundles if the compromised package had been included.

Impact

The injected malware intercepts and manipulates cryptocurrency transactions, redirecting funds from the victim's wallet to the attacker's wallet. This occurs without the user's knowledge, as the malware operates silently in the background, altering transaction data before it is signed and broadcasted to the blockchain.

Reproduction

The vulnerability can be reproduced by including the 'color-name' package version 2.0.1 in a project that is then bundled with a tool that supports JavaScript modules, such as Vite or Rollup. Once the project is built and the resulting bundle is loaded in a browser, the malware will activate by hooking into the 'fetch' and 'XMLHttpRequest' APIs, as well as the 'window.ethereum' object, which is used to interact with Ethereum wallets.

Remediation

Users should update to 'color-name' version 2.0.2, remove the 'node_modules' directory, clean the package manager's global cache, and rebuild any browser bundles from scratch. Those using private registries or mirrors should purge the compromised versions from their caches.