MAL-2025-46992
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@duckdb/node-api/MAL-2025-46992.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2025-46992
- Published
- 2025-09-09T10:30:00Z
- Modified
- 2025-09-09T10:30:00Z
- Summary
- Malicious code in @duckdb/node-api (npm)
- Details
-
The DuckDB Node.js package @duckdb/node-api version 1.3.3 was compromised with malware through a sophisticated phishing attack targeting the DuckDB maintainers. An attacker created a pixel-perfect copy of the npmjs.com website at npmjs.help domain and tricked a maintainer into logging in and resetting 2FA. The attacker then used stolen credentials to publish malicious versions of DuckDB packages.
The malicious code was designed to interfere with cryptocurrency transactions, potentially allowing the attacker to steal or manipulate crypto wallet addresses and transactions. This represents a supply chain attack where legitimate packages were compromised to distribute malware.
The attack was discovered within 4 hours and the affected versions were immediately deprecated and deleted from npm. The maintainers re-released safe versions (1.3.4) to ensure users get clean packages.
- Database specific
{ "malicious-packages-origins": [ { "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "modified_time": "2025-09-09T14:39:40Z", "id": "GHSA-6rwc-3xrf-pxv6", "sha256": "8c08893eedd4d1f8634ce92015d874258e9b537f29f734056f26cd8777be66c1", "import_time": "2025-09-11T00:34:35.459245214Z", "source": "ghsa-malware" } ], "iocs": { "domains": [ "npmjs.help" ], "urls": [ "https://npmjs.help" ] } }- References
- Credits
-
-
- DuckDB Team - REPORTER
-
Affected packages
npm / @duckdb/node-api
Package
- Name
- @duckdb/node-api
- View open source insights on deps.dev
- Purl
- pkg:npm/%40duckdb/node-api