DuckDB npm Packages Compromised with Malware
2025-09-09
DuckDB's Node.js npm packages were compromised by a sophisticated phishing attack. Malicious versions of four packages were published, containing code designed to interfere with cryptocurrency transactions. Fortunately, these malicious versions appear not to have been downloaded before being identified and deprecated by the DuckDB team. The team swiftly responded by deprecating the malicious versions and releasing updated, safe versions. The attack involved a convincing fake npm website that tricked a maintainer into resetting their 2FA, granting the attackers the ability to publish the malicious packages. This incident underscores the importance of robust security practices, even for experienced developers.
Development