MetaMask SDK indirectly exposed via malicious debug@4.4.2 dependency
Who is affected? This advisory only applies to developers who use MetaMask SDK in the browser and who, on Sept 8th 2025 between 13:00–15:30 UTC, performed one of the following actions and then deployed their application: Installed MetaMask SDK into a project with a lockfile for the first time Installed MetaMask SDK in a project without a lockfile Updated a lockfile to pull in debug@4.4.2 (e.g., via npm update or …