CVE-2025-59037: 
JavaScript vulnerability analysis and mitigation

On September 8th, 2025, the DuckDB distribution for Node.js on npm was compromised with malware. An attacker published malicious versions of four DuckDB packages (@duckdb/node-api@1.3.3, @duckdb/node-bindings@1.3.3, duckdb@1.3.3, and @duckdb/duckdb-wasm@1.29.2) that contained code designed to interfere with cryptocurrency transactions (GitHub Advisory).

The attack was executed through a phishing attack where a DuckDB maintainer received an email from a spoofed npmjs.help domain. The attacker created a pixel-perfect copy of the npm website, tricking the maintainer into logging in and resetting 2FA. The malicious code was designed to silently intercept crypto and web3 activity in the browser, manipulate wallet interactions, and redirect cryptocurrency payments to attacker-controlled accounts without visible signs to users (Aikido Blog).

According to npm statistics, no users had downloaded the compromised packages before they were deprecated. The potential impact would have been significant as the code was designed to interfere with cryptocurrency transactions and could have led to financial losses for affected users (GitHub Advisory).

DuckDB immediately deprecated the compromised versions and engaged npm support to delete the affected versions. The project re-released the node packages with higher version numbers (1.3.4/1.30.0). Users should upgrade to versions 1.3.4, 1.30.0, or higher to protect themselves. As a workaround, users can also downgrade to versions 1.3.2 or 1.29.1 (GitHub Advisory).

The DuckDB team acknowledged falling for a classic phishing attack and apologized for the mishap. They noted that they were fortunate to notice the compromise within four hours and were able to respond quickly. The DuckDBLabs team conducted an immediate response meeting at 7AM to address the situation and rotate passwords, tokens, and API keys (GitHub Advisory).