CVE-2025-59038
Description
Prebid.js is a free and open source library for publishers to quickly implement header bidding. NPM users of prebid 10.9.2 may have been briefly compromised by a malware campaign. The malicious code attempts to redirect crypto transactions on the site to the attackers' wallet. Version 10.10.0 fixes the issue. As a workaround, it is also possible to downgrade to 10.9.1.
Weakness Type (CWE)
References
Frequently Asked Questions
What is CVE-2025-59038? +
How do I check if I'm vulnerable to CVE-2025-59038? +
Related Vulnerabilities
DuckDB is an analytical in-process SQL database management system. On 08 September 2025, the DuckDB distribution for Node.js on npm …
Prebid Universal Creative (PUC) is a JavaScript API to render multiple formats. Npm users of PUC 1.17.3 or PUC latest …
backlash parses collected strings with escapes. On 8 September 2025, the npm publishing account for backslash was taken over after …
simple-swizzle swizzles function arguments. On 8 September 2025, the npm publishing account for simple-swizzle was taken over after a phishing …
color-string is a parser and generator for CSS color strings. On 8 September 2025, the npm publishing account for color-string …
color is a Javascript color conversion and manipulation library. On 8 September 2025, the npm publishing account for color was …