Описание
Prebid.js NPM package briefly compromised
Impact
NPM users of prebid 10.9.2. The malicious code attempts to redirect crypto transactions on the site to the attackers' wallet.
Patches
10.10.0 is solved
References
https://www.sonatype.com/blog/npm-chalk-and-debug-packages-hit-in-software-supply-chain-attack
Ссылки
- https://github.com/prebid/Prebid.js/security/advisories/GHSA-jwq7-6j4r-2f92
- https://nvd.nist.gov/vuln/detail/CVE-2025-59038
- https://github.com/prebid/Prebid.js/commit/72c7f184028f51ba15cdac744d56590b0f2b1f1e
- https://github.com/prebid/Prebid.js/releases/tag/10.10.0
- https://www.sonatype.com/blog/npm-chalk-and-debug-packages-hit-in-software-supply-chain-attack
Пакеты
Наименование
prebid.js
npm
Затронутые версииВерсия исправления
= 10.9.2
10.10.0
Связанные уязвимости
nvd
5 месяцев назад
Prebid.js is a free and open source library for publishers to quickly implement header bidding. NPM users of prebid 10.9.2 may have been briefly compromised by a malware campaign. The malicious code attempts to redirect crypto transactions on the site to the attackers' wallet. Version 10.10.0 fixes the issue. As a workaround, it is also possible to downgrade to 10.9.1.