VYPR

npm package

color-string

pkg:npm/color-string

Malware

3 malicious versions on record

One or more versions of this package have been flagged as containing malicious code. Audit any system that installed an affected version.

Vulnerabilities (2)

  • CVE-2025-59142HigSep 15, 2025
    affected >= 2.1.1, < 2.1.2fixed 2.1.2

    color-string is a parser and generator for CSS color strings. On 8 September 2025, the npm publishing account for color-string was taken over after a phishing attack. Version 2.1.1 was published, functionally identical to the previous patch version, but with a malware payload add

  • CVE-2021-29060Jun 21, 2021
    affected < 1.5.5fixed 1.5.5

    A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.