duckdb - isotope¹³

Incident Summary

DuckDB npm Account Compromise

The duckdb_admin npm account was compromised via a phishing email linking to a cloned npmjs site (npmjs.help), allowing attackers to bypass 2FA and inject a new API token. The attackers published malicious versions of DuckDB packages containing a wallet-drainer payload, attributed to the same threat actor behind the Qix compromise.

Date: 2025-09-09
Category: Open Source
Target Surface: Package registry
Insertion Phase: distribution
Impact: Financial Exploitation
Cause: Social Engineering

What Was Affected

Package duckdb

LanguageJavaScript

ComponentLibrary

Artifact typesource archive

Domain typepackage host

Domain npmjs.com

Repository github.com/duckdb/duckdb-node

Compromised Versions

1.3.3
1.29.2

Incident Context

Motive: Financial gain
Attribution: Third Party
Transitive: No
User Impact: 369000
Observed Duration: 0 days

External References

socket.dev/blog/duckdb-npm-account-compromised-in-continuing-supply-chain-attack

Source Data

Source record: oss/duckdb/meta.yaml