Description
The DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of duckdb’s packages that included malicious code to interfere with cryptocoin transactions. The following packages and versions are affected:
@duckdb/[email protected]@duckdb/[email protected][email protected]@duckdb/[email protected]
Note: The current release version of DuckDB is 1.3.
Recommendation
Update the @duckdb/duckdb-wasm package to the latest compatible version. Followings are version details:
- Affected version(s): = 1.29.2
- Patched version(s): 1.30.0
References
Related Issues
- Strapi Password Hashing is Missing Maximum Password Length Validation - CVE-2025-25298
- Payload does not invalidate JWTs after log out (GHSA-5v66-m237-hwf7) 2 - CVE-2025-4643
- The AuthKit React Router Library rendered sensitive auth data in HTML - CVE-2025-55008
- Vite allows server.fs.deny to be bypassed with .svg or relative paths - CVE-2025-31486
- Tags:
- npm
- @duckdb/duckdb-wasm
Anything's wrong? Let us know Last updated on September 10, 2025