Vulnerability Database
296,480
Total vulnerabilities in the database
MetaMask SDK indirectly exposed via malicious debug@4.4.2 dependency
Who is affected?
This advisory only applies to developers who use MetaMask SDK in the browser and who, on Sept 8th 2025 between 13:00–15:30 UTC, performed one of the following actions and then deployed their application:
- Installed MetaMask SDK into a project with a lockfile for the first time
- Installed MetaMask SDK in a project without a lockfile
- Updated a lockfile to pull in
debug@4.4.2(e.g., vianpm updateoryarn upgrade)
What happened?
On Sept 8th, 2025 (13:00–15:30 UTC), a malicious version of the debug package (v4.4.2) was published to npm. The injected code attempts to interfere with dApp-to-wallet communication when executed in a browser context.
While MetaMask SDK itself was not directly impacted, projects installing the SDK during this window may have inadvertently pulled in the malicious version of debug.
Mitigation
- If your application was rebuilt and redeployed after Sept 8th, 2025, 15:30 UTC, the malicious version of debug should no longer be present. Please also verify that your package manager (npm, yarn, pnpm, etc.) is not caching
debug@4.4.2. - If you have not yet deployed since performing one of the actions above, delete your
node_modulesand reinstall dependencies before deploying. - If your application was deployed during the attack window and has not been rebuilt since, perform a clean install of dependencies and redeploy to ensure the malicious package is removed.
Resources
| Software | From | Fixed in |
|---|---|---|
@metamask / sdk
|
0.16.0 | 0.33.1 |
|
@metamask / sdk-react
|
0.16.0 | 0.33.1 |
|
@metamask / sdk-communication-layer
|
0.16.0 | 0.33.1 |
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime