The compromise of 18 NPM packets, with a total of more than 2 billion downloads per week, has taken a new turn. A recent report has revealed a similar attack, this time targeting the DuckDB project. Some versions of DuckDB packages were found to contain malicious code that tampered with cryptocurrency payments. However, this attack was swiftly identified and only one instance of loading the malicious packages was recorded. On the other hand, packages with malicious inserts from the previous attack on 18 NPM packets managed to be downloaded more than 2.5 million times.
Below are the packages compromised in the second phishing attack:
| Package | Peak downloads per week | Number of dependencies | Version with harmful code |
|---|---|---|---|
| duckdb | 242,000 | 1.3.3 | |
| @duckdb/duckdb-wasm | 170,000 | 43 | 1.3.3 |
| @duckdb/node-api | 81,000 | 33 | 6.2.2 |
| @duckdb/node-bindings | 82,000 | 1 | 1.29.2 |
| @coveops/abi | 551 | 0 | 2.0.1 |
/Reports, release notes, official announcements.