CVE-2025-59039

Description

### Impact Npm users of PUC 1.17.3 or PUC latest were briefly affected by crypto-related malware detailed in the blog post below. This includes the extremely popular jsdelivr hosting of this file. ### Patches We unpublished the version on npm. ### Workarounds This has already been unpublished. See Prebid.js 9 release notes for suggestions on moving off the deprecated workflow of using the PUC or pointing to a dynamic version of it. PUC users pointing to latest should transition to 1.17.2 ASAP to avoid similar attacks in the future. ### References https://www.sonatype.com/blog/npm-chalk-and-debug-packages-hit-in-software-supply-chain-attack

How to fix CVE-2025-59039

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• —no fix listed

Is CVE-2025-59039 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-59039
• PATCHgithub.com/prebid/prebid-universal-creative
• WEBgithub.com/prebid/prebid-universal-creative/security/advisories/GHSA-m662-56rj-8fmm
• WEBwww.sonatype.com/blog/npm-chalk-and-debug-packages-hit-in-software-supply-chain-attack