(RESOLVED) Version 4.4.2 published to npm is compromised

debug-js / debug Public

Notifications You must be signed in to change notification settings
Fork 961
Star 11.4k

Code
Issues 63
Pull requests 21
Actions
Security
Insights

New issue

Open

MetaMask/metamask-sdk

#1342

Description

Informatic

opened

on Sep 8, 2025

MESSAGE FROM @Qix- : PLEASE SEE #1005 (comment) FOR LATEST UPDATES.

Version not present in this repo has been pushed out to npm.
https://www.npmjs.com/package/debug/v/4.4.2?activeTab=code
src/index.js seems to contain ~~a cryptominer installer~~ something like a cryptostealer?
My brain is too foggy to figure out, but seems as if most of the payload doesn't actually run if typeof window == undefined as is the case in NodeJS runtime?

Metadata

Assignees

No one assigned

Labels

No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

(RESOLVED) Version 4.4.2 published to npm is compromised

Navigation Menu

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Description

MESSAGE FROM @Qix- : PLEASE SEE #1005 (comment) FOR LATEST UPDATES.

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions