npm debug, color-convert, backslash, error-ex, simple-swizzle, is-arrayish, color-name, color-string have incorrect wildcard version in their malware advisory (2025-09-08)

[marcalexiei]

Package	Version affected	Issue / reference	Advisory
debug	4.4.2	debug-js/debug#1005	GHSA-8mgj-vmr8-frr6
color-convert	3.1.1	https://github.com/Qix-/color-convert/issues/121	GHSA-ch7m-m9rf-8gvv
backslash	0.2.1	https://github.com/Qix-/node-backslash/issues/5	GHSA-m2xf-jp99-f298
error-ex	1.3.3	https://github.com/Qix-/node-error-ex/issues/17	GHSA-5g7q-qh7p-jjvm
simple-swizzle	0.2.3	https://www.npmjs.com/package/simple-swizzle/v/0.2.3?activeTab=code index.js#6 (not present in 0.2.2) (I already reported the malicious code to NPM)	GHSA-wwpx-h6g5-c7x6
is-arrayish	0.3.3 (?)	https://www.npmjs.com/package/is-arrayish?activeTab=code no malicious code in index.js, probably already unpublished	GHSA-hfm8-9jrf-7g9w
color-name	2.0.1 (?)	https://www.npmjs.com/package/color-name?activeTab=code no malicious code in index.js, probably already unpublished	GHSA-m99c-cfww-cxqx
color-string	2.1.1 (?)	https://www.npmjs.com/package/color-string?activeTab=code no malicious code in index.js, probably already unpublished	GHSA-3q87-f72r-3gm6

[jmsaucier]

Since this is such a wide-spread issue, what is the normal escalation process for this?

Like us, I'm sure many people have CI/CD with npm audit failing now because the versions are wrong in the advisory.

[jmsaucier]

@marcalexiei here's a list published here, I'm wondering how it compares to the list you're compiling.

https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised

Here's the list from junon:

https://news.ycombinator.com/item?id=45169794

[WxTaco]

This version has been taken down, it's no longer in the NPM registry from what I can see.

[WxTaco]

The compromised version of debug, that is.

[mainfraame]

what's up with the incorrect versions being marked in here for >=0. it's not correct

[marcalexiei]

@jmsaucier I used https://github.com/advisories?query=type%3Amalware and reviewed all the dependencies opened today.
1 hour ago they were 8 advisories (the one you can see in the issue description).

Now there are 10 more:

1. chalk-template
2. supports-hyperlinks
3. has-ansi
4. slice-ansi
5. wrap-ansi
6. ansi-regex
7. supports-color
8. strip-ansi
9. chalk
10. ansi-styles

The list you are referring is probably coming from the comment on debug package issue:

• (RESOLVED) Version 4.4.2 published to npm is compromised debug-js/debug#1005 (comment)

[Kathalysth]

I have just spent the past 1 hour wondering why i have over 200 critical vulnerabilities.
wheew, is there any way to de-escalate the issue?

[M4XX1ME]

Hi guys. Thanks for your efforts. I am new with this. What should be done if we are using these packages ? Make sure to have the latest versions of each or go back to an older safe version ?

[marcalexiei]

debug, color-convert, error-ex, backslash advisories now have the correct version set.
I guess they are updating them right now.