npm package
color-convert
pkg:npm/color-convert
Malware
3 malicious versions on record
One or more versions of this package have been flagged as containing malicious code. Audit any system that installed an affected version.
- GHSA-pxx3-g568-hxr4color-convert@3.1.1 contains malware after npm account takeoverSep 15, 2025
- MAL-2025-46971Malicious code in color-convert (npm)Sep 8, 2025
- GHSA-ch7m-m9rf-8gvvDuplicate Advisory: Malware in color-convertSep 8, 2025
Vulnerabilities (1)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-59162 | Hig | — | >= 3.1.1, < 3.1.2 | 3.1.2 | Sep 15, 2025 | color-convert provides plain color conversion functions in JavaScript. On 8 September 2025, the npm publishing account for color-convert was taken over after a phishing attack. Version 3.1.1 was published, functionally identical to the previous patch version, but with a malware p |
- affected >= 3.1.1, < 3.1.2fixed 3.1.2
color-convert provides plain color conversion functions in JavaScript. On 8 September 2025, the npm publishing account for color-convert was taken over after a phishing attack. Version 3.1.1 was published, functionally identical to the previous patch version, but with a malware p