Color-Convert npm Package Account Takeover and Malware Injection Vulnerability

A vulnerability has been identified in the 'color-convert' npm package, specifically in version 3.1.1, following a takeover of the package author's account via a phishing attack. The compromised version was published on September 8, 2025, and includes a malware payload that redirects cryptocurrency transactions to the attacker's wallets. This malicious code operates in browser environments, intercepting and altering transaction data before it is signed, effectively hijacking the funds. The attack targets wallets and transactions on various blockchains, including Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash.

Impact

The vulnerability allows for unauthorized interception and manipulation of cryptocurrency transactions, redirecting funds from the victim's wallet to the attacker's wallet. This is achieved by hijacking standard web APIs and wallet provider interfaces, such as MetaMask and Phantom.

Reproduction

The vulnerability can be reproduced by including the 'color-convert' package version 3.1.1 in a project that is then bundled and run in a browser environment. The malware will activate by hooking into the Ethereum wallet provider, intercepting transaction requests, and replacing recipient addresses with those controlled by the attacker.

Remediation

Users should update to 'color-convert' version 3.1.2, remove the 'node_modules' directory, clean the package manager's global cache, and rebuild any browser bundles from scratch. Those using private registries should purge the compromised version from their cache.