GHSA-m662-56rj-8fmm

Suggest an improvement
Source
https://github.com/advisories/GHSA-m662-56rj-8fmm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-m662-56rj-8fmm/GHSA-m662-56rj-8fmm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-m662-56rj-8fmm
Aliases
  • CVE-2025-59039
Published
2025-09-11T14:24:37Z
Modified
2025-09-11T14:44:50.514697Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Prebid-universal-creative latest on npm briefly compromised
Details

Impact

Npm users of PUC 1.17.3 or PUC latest were briefly affected by crypto-related malware detailed in the blog post below. This includes the extremely popular jsdelivr hosting of this file.

Patches

We unpublished the version on npm.

Workarounds

This has already been unpublished. See Prebid.js 9 release notes for suggestions on moving off the deprecated workflow of using the PUC or pointing to a dynamic version of it. PUC users pointing to latest should transition to 1.17.2 ASAP to avoid similar attacks in the future.

References

https://www.sonatype.com/blog/npm-chalk-and-debug-packages-hit-in-software-supply-chain-attack

Database specific 
{
    "github_reviewed_at": "2025-09-11T14:24:37Z",
    "github_reviewed": true,
    "severity": "CRITICAL",
    "nvd_published_at": "2025-09-09T23:15:37Z",
    "cwe_ids": [
        "CWE-506"
    ]
}
References

Affected packages

npm / prebid-universal-creative

Package

Name
prebid-universal-creative
View open source insights on deps.dev
Purl
pkg:npm/prebid-universal-creative

Affected ranges

Affected versions

1.*
1.17.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-m662-56rj-8fmm/GHSA-m662-56rj-8fmm.json"