MAL-2025-1902 Malicious code in metamask-sdk-e2e (npm)

--- -= Per source details. Do not edit below this line.=-...

MAL-2025-1533 Malicious code in metamask-design-tokens-tailwind (npm)

This package runs commands in a pre-install script that exfils sensitive data to a attacker-controlled domain. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4376a3d800319e2df7e817984307b066ba79cc3b9f0785a2899c7c6deaf11083 Any computer that has this package install...

Malicious code in metamask-sdk-create-react-app (npm)

This package runs commands in a pre-install script that exfils sensitive data to a attacker-controlled domain. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware ed98a81fafea025740493667412dfaf8dd28cd12988fabdf1118a1765a12733d Any computer that has this package install...

MAL-2025-1525 Malicious code in metamask-sdk-create-react-app (npm)

This package runs commands in a pre-install script that exfils sensitive data to a attacker-controlled domain. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware ed98a81fafea025740493667412dfaf8dd28cd12988fabdf1118a1765a12733d Any computer that has this package install...

Malicious code in metamask-sdk-monorepo (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 563827ad840866efcd9358d913c0a4e28044e336ac6d4ebc9a33c631afd70ed4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-1148 Malicious code in metamask-sdk-monorepo (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 563827ad840866efcd9358d913c0a4e28044e336ac6d4ebc9a33c631afd70ed4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in metamask-extension-generate-attributions (npm)

--- -= Per source details. Do not edit below this line.=-...

MAL-2024-11385 Malicious code in metamask-extension-generate-attributions (npm)

--- -= Per source details. Do not edit below this line.=-...

MetaMask: Missing ^ Line Beginner Leads to Origin Spoofing

The vulnerability was identified in MetaMask's regex-based origin validation for endowments. Due to a missing caret ^ anchor at the beginning of the regex pattern, origin spoofing was possible. This oversight allowed malicious domains to be treated as trusted, bypassing intended security...

New macOS Malware "Cthulhu Stealer" Targets Apple Users' Data

Cybersecurity researchers have uncovered a new information stealer that's designed to target Apple macOS hosts and harvest a wide range of information, underscoring how threat actors are increasingly setting their sights on the operating system. Dubbed Cthulhu Stealer, the malware has been...

MetaMask: Missing Line Terminator on allowedOrigins enables origin spoofing

The vulnerability identified by @pkkr was related to the Snaps allowedOrigins functionality, which allows Snap developers to control which origins can interact with certain Snap APIs. Due to a missing regex terminator, the origin control could be bypassed, enabling a malicious domain to access...

MAL-2024-4544 Malicious code in MetаMаsk.Blazor (NuGet)

--- -= Per source details. Do not edit below this line.=-...

Malicious code in MetаMаsk.Blazor (NuGet)

--- -= Per source details. Do not edit below this line.=-...

Fake Lawsuit Threat Exposes Privnote Phishing Sites

A cybercrook who has been setting up websites that mimic the self-destructing message service privnote.com accidentally exposed the breadth of their operations recently when they threatened to sue a software company. The disclosure revealed a profitable network of phishing sites that behave and...

MetaMask: total Failure of password protection while extracting seed phrase! increases attack surface area for scammers

The MetaMask browser extension UI was able to access a user's seed phrase without requiring password confirmation, which violated expected security boundaries between the UI and background process. The issue was resolved in MetaMask Extension version 11.7.1, which now enforces password confirmati...

Steer clear of cryptocurrency recovery phrase scams

The dangers of cryptocurrency phishing are back in the news, after tech investor Mark Cuban was reported to have lost around $870k via a phishing link. Cuban lost a combination of coin types as asset movement flagged up after months of inactivity from his wallet. Cuban discovered some of the...

Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach

In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people...

@aprilsacil/wallet (>=0.1.36 <=0.1.51), @bosonprotocol/react-kit (>=0.1.0-alpha.0 <=0.1.0-alpha.2) +43 more potentially affected by CVE-2023-30543 via @web3-react/metamask (>=8.0.14-beta.0 <=8.0.28-beta.0)

@web3-react/metamask NPM version =8.0.14-beta.0, =0.1.36, =0.1.0-alpha.0, =0.0.46, =0.0.70, =1.0.0, =1.0.0, =0.0.1, =1.1.0, =0.0.3, =1.0.0, =1.0.0, =0.0.6-alpha.0, =0.0.12 - @huma-finance/widgets =0.0.6-alpha.0 and more Source cves: CVE-2023-30543 Source advisory: OSV:GHSA-8PF3-6FGR-3G3G...

MetaMask: MetaMask Browser (on Android) does not enforce Content-Security-Policy header

The MetaMask Mobile browser was discovered to ignore Content-Security-Policy headers set by websites, allowing potential execution of scripts that should have been blocked. The issue was caused by an error in how the application handled web requests while trying to ensure the MetaMask JavaScript...

MetaMask: Arbitrary file write triggered by deeplink abuse - MetaMask Android

A vulnerability was discovered in the MetaMask Android app that allowed for arbitrary files to be written to disk. Attackers were able to exploit this vulnerability by deeplinking into MetaMask's in-app browser and triggering the immediate download of an attacker-supplied file. Users were not...