CVE-2025-59038: Prebid.js NPM package briefly compromised
NPM users of prebid 10.9.2. The malicious code attempts to redirect crypto transactions on the site to the attackers’ wallet.
References
- github.com/advisories/GHSA-jwq7-6j4r-2f92
- github.com/prebid/Prebid.js
- github.com/prebid/Prebid.js/commit/72c7f184028f51ba15cdac744d56590b0f2b1f1e
- github.com/prebid/Prebid.js/releases/tag/10.10.0
- github.com/prebid/Prebid.js/security/advisories/GHSA-jwq7-6j4r-2f92
- nvd.nist.gov/vuln/detail/CVE-2025-59038
- www.sonatype.com/blog/npm-chalk-and-debug-packages-hit-in-software-supply-chain-attack
Code Behaviors & Features
Detect and mitigate CVE-2025-59038 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →