The NPM supply chain attack targeting major JavaScript packages has claimed another victim, with popular database library DuckDB confirming that four of its Node.js packages were compromised with cryptocurrency-stealing malware just hours after the initial wave of compromises.
Security researchers discovered malicious versions of @duckdb/[email protected], @duckdb/[email protected], [email protected], and @duckdb/[email protected] containing code designed to "interfere with cryptocoin transactions," according to a GitHub security advisory published by DuckDB maintainers.
The attack follows the same sophisticated phishing pattern that compromised packages with over 2 billion combined weekly downloads, including chalk, debug, and ansi-styles.
 |
| Phishing email received by DuckDB maintainers |
A DuckDB maintainer fell victim to a fake email from "npmjs.help" that led to a pixel-perfect replica of the official NPM website.
"In hindsight, the fact that his browser did not auto-complete the login should have been a red flag," DuckDB maintainers admitted in their postmortem. "It's painful to spell out, but we fell for a classic phishing attack."
The copycat website forwarded all authentication actions to the real NPM site while secretly harvesting credentials and adding malicious API tokens. Attackers then used these tokens to publish the compromised package versions containing crypto-clipper malware that hijacks wallet transactions.
DuckDB's swift response prevented widespread damage. The team detected the compromise within four hours, immediately deprecated the malicious versions, and worked with NPM support to remove them entirely. They also released patched versions (1.3.4 and 1.30.0) to ensure users pull clean packages.
This incident expands the scope of what security experts are calling the largest NPM supply chain attack in JavaScript ecosystem history. The cryptocurrency-targeting malware operates by monkey-patching browser functions to intercept network traffic and replace crypto addresses with attacker-controlled wallets.
"We apologise for this issue. We are reviewing our internal processes to ensure the safety of future releases," DuckDB maintainers stated.
Immediate Actions for Developers:
- Avoid DuckDB versions 1.3.3 and 1.29.2
- Update to patched versions (1.3.4+ or 1.30.0+)
- Use npm ci in production deployments
- Enable package audit alerts in CI/CD pipelines
The attack highlights the critical vulnerability of open-source supply chains, where a single compromised maintainer account can potentially expose millions of applications to financial theft.