GHSA-M662-56RJ-8FMM

Vulnerability from github – Published: 2025-09-11 14:24 – Updated: 2025-09-11 14:24
VLAI?
Summary
Prebid-universal-creative latest on npm briefly compromised
Details

Impact

Npm users of PUC 1.17.3 or PUC latest were briefly affected by crypto-related malware detailed in the blog post below. This includes the extremely popular jsdelivr hosting of this file.

Patches

We unpublished the version on npm.

Workarounds

This has already been unpublished. See Prebid.js 9 release notes for suggestions on moving off the deprecated workflow of using the PUC or pointing to a dynamic version of it. PUC users pointing to latest should transition to 1.17.2 ASAP to avoid similar attacks in the future.

References

https://www.sonatype.com/blog/npm-chalk-and-debug-packages-hit-in-software-supply-chain-attack

Severity ?
9.3 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "prebid-universal-creative"
      },
      "versions": [
        "1.17.3"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59039"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-11T14:24:37Z",
    "nvd_published_at": "2025-09-09T23:15:37Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nNpm users of PUC 1.17.3 or PUC latest were briefly affected by crypto-related malware detailed in the blog post below. This includes the extremely popular jsdelivr hosting of this file. \n\n### Patches\nWe unpublished the version on npm.\n\n### Workarounds\nThis has already been unpublished. See Prebid.js 9 release notes for suggestions on moving off the deprecated workflow of using the PUC or pointing to a dynamic version of it. PUC users pointing to latest should transition to 1.17.2 ASAP to avoid similar attacks in the future.\n\n### References\nhttps://www.sonatype.com/blog/npm-chalk-and-debug-packages-hit-in-software-supply-chain-attack",
  "id": "GHSA-m662-56rj-8fmm",
  "modified": "2025-09-11T14:24:37Z",
  "published": "2025-09-11T14:24:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/prebid/prebid-universal-creative/security/advisories/GHSA-m662-56rj-8fmm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59039"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/prebid/prebid-universal-creative"
    },
    {
      "type": "WEB",
      "url": "https://www.sonatype.com/blog/npm-chalk-and-debug-packages-hit-in-software-supply-chain-attack"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Prebid-universal-creative latest on npm briefly compromised"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.