DuckDB npm packages 1.3.3 and 1.29.2 compromised with cryptocurrency-targeting malware
By
tosh
If you only eat one bagel today, this is the bagel.
Summary
The DuckDB npm packages (duckdb, @duckdb/node-api, @duckdb/node-bindings, and duckdb-async) were compromised with malware in versions 1.3.3 and 1.29.2. An attacker published malicious code designed to interfere with cryptocurrency transactions. The legitimate current release is 1.3.2, and users are warned not to update to the affected versions. DuckDB has no plans to release a legitimate 1.3.3 version.
Key quotes
· 3 pulledThe DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages).
An attacker published new versions of four of duckdb's packages that included malicious code to interfere with cryptocoin transactions.
We do not plan to ever release a 'legit' DuckDB 1.3.3. Users should double-check that they are not accidentally updating to those affected versions.
You might also wanna read
npm malware targeting Claude users leaks own GitHub token, reaches 676 downloads
An npm package called "mouse5212-super-formatter" targeting Claude users acted as information-stealing malware, reaching 676 downloads befor
theregister.com·2d ago
AI-Generated npm Package Leaks Its Own GitHub Token, Exposing Malware Operator
A malicious npm package named mouse5212-super-formatter, identified by OX Security, was caught leaking its own hardcoded GitHub token. This
infosecurity-magazine.com·1d ago
176 malicious npm packages used dependency confusion to target internal dependencies and steal credentials
Sonatype researchers uncovered a campaign involving 176 malicious npm packages using a dependency confusion attack strategy. Attackers publi
sonatype.com·2d ago