High severityNVD Advisory· Published Sep 9, 2025· Updated Apr 15, 2026
CVE-2025-59038
This CVE describes malicious code, not an ordinary vulnerability.
- npm /
prebid.js— Prebid.js NPM package briefly compromised - npm /
prebid.js— Malicious code in prebid.js (npm)
If you have any of these packages installed, remove and rotate any credentials they could have accessed. See the malware feed for full details.
CVE-2025-59038
Description
Prebid.js is a free and open source library for publishers to quickly implement header bidding. NPM users of prebid 10.9.2 may have been briefly compromised by a malware campaign. The malicious code attempts to redirect crypto transactions on the site to the attackers' wallet. Version 10.10.0 fixes the issue. As a workaround, it is also possible to downgrade to 10.9.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
prebid.jsnpm | >= 10.9.2, < 10.10.0 | 10.10.0 |
Affected products
1Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-jwq7-6j4r-2f92ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-59038ghsaADVISORY
- github.com/prebid/Prebid.js/commit/72c7f184028f51ba15cdac744d56590b0f2b1f1eghsaWEB
- github.com/prebid/Prebid.js/releases/tag/10.10.0ghsaWEB
- github.com/prebid/Prebid.js/security/advisories/GHSA-jwq7-6j4r-2f92nvdWEB
- www.sonatype.com/blog/npm-chalk-and-debug-packages-hit-in-software-supply-chain-attacknvdWEB
News mentions
0No linked articles in our index yet.