DuckDB Node.js Distribution Compromised with Malware Interfering in Cryptocoin Transactions

A malware injection has been identified in the DuckDB distribution for Node.js, specifically in versions 1.3.3 of the packages '@duckdb/node-api', '@duckdb/node-bindings', 'duckdb', and version 1.29.2 of '@duckdb/duckdb-wasm'. The malicious code, introduced through a phishing attack that compromised the maintainer's npm account, was designed to disrupt cryptocoin transactions by hijacking wallet interactions and redirecting funds to attacker-controlled accounts. This incident occurred on September 8, 2025, and was part of a broader compromise affecting several popular npm packages.

Impact

The injected malware operates as a browser-based interceptor, manipulating network traffic and application APIs. It hijacks wallet interactions by altering transaction details, such as payment destinations, before they are signed by the user, effectively redirecting funds to accounts controlled by the attacker. This manipulation occurs without any visible signs, making it difficult for users to detect the fraud.

Reproduction

The vulnerability can be reproduced by installing the affected DuckDB Node.js packages from npm. Once the compromised versions are installed, the malware activates by intercepting wallet-related transactions and redirecting funds to attacker-controlled addresses. This behavior can be observed by monitoring transaction payloads for signs of manipulation, such as altered payment destinations.

Remediation

Users can upgrade to DuckDB Node.js packages version 1.3.4, 1.30.0, or a higher version. If they need to revert to a previous version, they can downgrade to 1.3.2 or 1.29.1.