npm package
color-string
pkg:npm/color-string
Malware
3 malicious versions on record
One or more versions of this package have been flagged as containing malicious code. Audit any system that installed an affected version.
- GHSA-286p-vc9p-p5qvcolor-string@2.1.1 contains malware after npm account takeoverSep 15, 2025
- MAL-2025-46973Malicious code in color-string (npm)Sep 8, 2025
- GHSA-3q87-f72r-3gm6Duplicate Advisory: Malware in color-stringSep 8, 2025
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-59142 | Hig | — | >= 2.1.1, < 2.1.2 | 2.1.2 | Sep 15, 2025 | color-string is a parser and generator for CSS color strings. On 8 September 2025, the npm publishing account for color-string was taken over after a phishing attack. Version 2.1.1 was published, functionally identical to the previous patch version, but with a malware payload add | |
| CVE-2021-29060 | — | < 1.5.5 | 1.5.5 | Jun 21, 2021 | A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string. |
- affected >= 2.1.1, < 2.1.2fixed 2.1.2
color-string is a parser and generator for CSS color strings. On 8 September 2025, the npm publishing account for color-string was taken over after a phishing attack. Version 2.1.1 was published, functionally identical to the previous patch version, but with a malware payload add
- CVE-2021-29060Jun 21, 2021affected < 1.5.5fixed 1.5.5
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.