[email protected] contains malware after npm account takeover

Impact On 8 September 2025, the npm publishing account for color-string was taken over after a phishing attack. Version 2.1.1 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's...

PT-2025-37742

Name of the Vulnerable Software and Affected Versions: backslash versions prior to 0.2.2 Description: The backslash npm package was compromised through a phishing attack on the publishing account. Version 0.2.1 was published with a malicious payload designed to redirect cryptocurrency transaction...