npm package
color
pkg:npm/color
Malware
3 malicious versions on record
One or more versions of this package have been flagged as containing malicious code. Audit any system that installed an affected version.
- GHSA-qrmh-qg46-72ppcolor@5.0.1 contains malware after npm account takeoverSep 15, 2025
- MAL-2025-46985Malicious code in color (npm)Sep 8, 2025
- GHSA-j8fv-6x8p-p766Duplicate Advisory: Malware in colorSep 8, 2025
Vulnerabilities (1)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-59143 | Hig | — | >= 5.0.1, < 5.0.2 | 5.0.2 | Sep 15, 2025 | color is a Javascript color conversion and manipulation library. On 8 September 2025, the npm publishing account for color was taken over after a phishing attack. Version 5.0.1 was published, functionally identical to the previous patch version, but with a malware payload added a |
- affected >= 5.0.1, < 5.0.2fixed 5.0.2
color is a Javascript color conversion and manipulation library. On 8 September 2025, the npm publishing account for color was taken over after a phishing attack. Version 5.0.1 was published, functionally identical to the previous patch version, but with a malware payload added a