DuckDB NPM packages 1.3.3 and 1.29.2 compromised with malware
a day ago
- #phishing
- #npm
- #security
- DuckDB Node.js packages on npm were compromised with malware targeting cryptocoin transactions.
- Affected packages include @duckdb/[email protected], @duckdb/[email protected], [email protected], and @duckdb/[email protected].
- No downloads of the malicious versions were recorded before deprecation.
- DuckDB maintainers deprecated the affected versions and released safe updates (1.3.4/1.30.0).
- The compromise resulted from a phishing attack via a fake npmjs.help website.
- Attackers used stolen credentials to publish malicious packages but were detected within hours.
- DuckDB team rotated passwords, tokens, and API keys to secure their npm account.
- Internal processes are being reviewed to prevent future security breaches.