Embedded Malicious Code

Overview @duckdb/node-api is an API for using DuckDB in Node. Affected versions of this package are vulnerable to Embedded Malicious Code. This package version contains malicious code that monitors network traffic when run in a browser and targets crypto transactions. The injected malicious code...

@argilzar/cli-plugin-export-parquet (>=1.0.4 <=1.3.4), @chainbound/payflow-mcp (>=0.0.1 <=0.0.2) +37 more potentially affected by unknown CVE via @duckdb/node-api (>=1.1.3-alpha.12 <=1.3.2-alpha.26)

@duckdb/node-api NPM version =1.1.3-alpha.12, =1.0.4, =0.0.1, =1.0.2, =1.0.1, =1.6.0, =1.0.2, =0.0.1, =0.1.0, =1.2.1, =1.0.0, =0.2.0, =1.0.0, =1.0.7 and more Source cves: unknown CVE Source advisory: OSV:MAL-2025-46992...

MAL-2025-46992 Malicious code in @duckdb/node-api (npm)

The DuckDB Node.js package @duckdb/node-api version 1.3.3 was compromised with malware through a sophisticated phishing attack targeting the DuckDB maintainers. An attacker created a pixel-perfect copy of the npmjs.com website at npmjs.help domain and tricked a maintainer into logging in and...

Embedded Malicious Code

Overview @duckdb/node-api is an API for using DuckDB in Node. Affected versions of this package are vulnerable to Embedded Malicious Code. This package version contains malicious code that monitors network traffic when run in a browser and targets crypto transactions. The injected malicious code...