Description
The DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of duckdb’s packages that included malicious code to interfere with cryptocoin transactions. The following packages and versions are affected:
@duckdb/[email protected]@duckdb/[email protected][email protected]@duckdb/[email protected]
Note: The current release version of DuckDB is 1.3.
Recommendation
Update the @duckdb/duckdb-wasm package to the latest compatible version. Followings are version details:
- Affected version(s): = 1.29.2
- Patched version(s): 1.30.0
References
Related Issues
- Prebid.js NPM package briefly compromised - CVE-2025-59038
- Prebid-universal-creative latest on npm briefly compromised - CVE-2025-59039
- Webrecorder packages are vulnerable to XSS through 404 error handling logic - CVE-2025-58765
- Compromised xrpl.js versions 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2 - CVE-2025-32965
- Tags:
- npm
- @duckdb/duckdb-wasm
Anything's wrong? Let us know Last updated on September 10, 2025