MetaMask SDK indirectly exposed via malicious [email protected] dependency
- Severity:
- Medium
Description
This advisory only applies to developers who use MetaMask SDK in the browser and who, on Sept 8th 2025 between 13:00–15:30 UTC, performed one of the following actions and then deployed their application:
- Installed MetaMask SDK into a project with a lockfile for the first time
- Installed MetaMask SDK in a project without a lockfile
- Updated a lo
Recommendation
Update the @metamask/sdk-communication-layer package to the latest compatible version. Followings are version details:
- Affected version(s): >= 0.16.0, <= 0.33.0
- Patched version(s): 0.33.1
References
Related Issues
- a12nserver vulnerable to potential SQL Injections via Knex dependency - Vulnerability
- Redwood is vulnerable to account takeover via dbAuth "forgot-password - Vulnerability
- Malicious Package in coffee-project - Vulnerability
- Malicious Package in angular-location-update - Vulnerability
- Tags:
- npm
- @metamask/sdk-communication-layer
Anything's wrong? Let us know Last updated on September 15, 2025