DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware

The DuckDB distribution for Node.js on npm was compromised with malware along with several other packages. An attacker published new versions of four of duckdb’s packages that included malicious code to interfere with cryptocoin transactions. The following packages and versions are affected: -...

MAL-2025-46991 Malicious code in @duckdb/duckdb-wasm (npm)

The DuckDB Node.js package @duckdb/duckdb-wasm version 1.29.2 was compromised with malware through a sophisticated phishing attack targeting the DuckDB maintainers. An attacker created a pixel-perfect copy of the npmjs.com website at npmjs.help domain and tricked a maintainer into logging in and...

Malicious code in @duckdb/duckdb-wasm (npm)

The DuckDB Node.js package @duckdb/duckdb-wasm version 1.29.2 was compromised with malware through a sophisticated phishing attack targeting the DuckDB maintainers. An attacker created a pixel-perfect copy of the npmjs.com website at npmjs.help domain and tricked a maintainer into logging in and...

DuckDB 安全漏洞

DuckDB is an in-process SQL OLAP database management system from DuckDB open source. A security vulnerability exists in DuckDB that stems from malicious code being planted in npm packages that could interfere with cryptocurrency transactions. The following products and versions are affected: duck...

Embedded Malicious Code

Overview @duckdb/duckdb-wasm is an in-process analytical SQL database for the browser. It is powered by WebAssembly, speaks Arrow fluently, reads Parquet, CSV and JSON files backed by Filesystem APIs or HTTP requests and has been tested with Chrome, Firefox, Safari and Node.js. Affected versions ...