Description
The DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of duckdb’s packages that included malicious code to interfere with cryptocoin transactions. The following packages and versions are affected:
@duckdb/[email protected]@duckdb/[email protected][email protected]@duckdb/[email protected]
Note: The current release version of DuckDB is 1.3.
Recommendation
Update the @duckdb/duckdb-wasm package to the latest compatible version. Followings are version details:
- Affected version(s): = 1.29.2
- Patched version(s): 1.30.0
References
Related Issues
- CodeceptJS's incomprehensive sanitation can lead to Command Injection - CVE-2025-57285
- The AuthKit React Router Library rendered sensitive auth data in HTML - CVE-2025-55008
- Vite allows server.fs.deny to be bypassed with .svg or relative paths - CVE-2025-31486
- tarteaucitron.js allows prototype pollution via custom text injection - CVE-2025-31475
- Tags:
- npm
- @duckdb/duckdb-wasm
Anything's wrong? Let us know Last updated on September 10, 2025