DuckDB NPM packages 1.3.3 and 1.29.2 compromised with malware

Posted by tosh 9/9/2025

DuckDB NPM packages 1.3.3 and 1.29.2 compromised with malware(github.com)

395 points | 283 commentspage 3

lima 9/10/2025|

Using Security Keys/FIDO2 instead of TOTP codes completely solves trivial phishing attacks like this one.

karel-3d 9/10/2025||

npm actually does send these emails. They are about setting up 2FA though. And never have this sense of urgency.

"Hi, XXXX! It looks like you still do not have two-factor authentication (2FA) enabled on your npm account.

To enable 2FA, please follow the instructions found here."

ebfe1 9/9/2025||

Is it just me who think this could have been prevented if npm admins put in some sort of cool off period to only allow new versions or packages to be downloaded after being published by "x" amount of hours? This way the npm maintainer would get notifications on their email and react immediately? And if it is urgent fix, perhaps there can be a process to allow npm admin to approve and bypass publication cool off period.

Disclaimer: I don't know enough of npm/nodejs community so I might be completely off the mark here

herpdyderp 9/9/2025||

If I was forced to wait to download my own package updates I would simply stop using npm altogether and use something else.

kaelwd 9/9/2025|||

It would be fine if you could still manually specify those versions eg. npm i duckdb@1.3.3 installs 1.3.3 but duckdb@latest or duckdb@^1.3 stays on 1.3.2 until 1.3.3 is ~a week old.

https://github.com/pnpm/pnpm/issues/9921

ApolloFortyNine 9/9/2025|||

Except they'd have to have an override for when there's a zero day, at which point we're back where we started.

kaelwd 9/9/2025||

Versions with a serious vulnerability should be deprecated by the maintainer which then warns you to use a newer version when installing. Yes if a npm account is compromised the attacker could deprecate everything except their malicious version but it would still significantly reduce the attack surface by requiring manual intervention vs the current npm install foo@latest -> you're fucked.

herpdyderp 9/9/2025|||

Brilliantly simple, that would work for me!

balder1991 9/9/2025|||

It could be done like a rollout in % over time like app stores do.

kaelwd 9/9/2025|||

NPM could also flag releases that don't have a corresponding github tag (for packages that are hosted on github), most of these attacks are publishing directly to NPM without any git changes.

mdaniel 9/10/2025||

I would love this for every dependency manager, and double extra bonus for "the tag NOW isn't the tag from when the dep was published"

But, this coming from GitHub, who believe that sliding "v1" tags on random action repos is how one ends up with https://news.ycombinator.com/item?id=43367987

robjan 9/9/2025|||

They could definitely add a maker-checker process (similar to code review) for new versions and make it a requirement for public projects with x number of downloads per week.

hiccuphippo 9/9/2025||

The could force release candidates that the package managers don't automatically update to, but let researchers analyse the packages before the real release.

skylurk 9/9/2025||

I hate the janky password manager browser extensions but at least they make it hard to make this mistake.

smw 9/9/2025|

And passkeys or hardware tokens (FIDO/yubikeys) make it impossible

hoppp 9/9/2025||

Why the hell we use npm,

Every dependency is a backdoor, To make them malicious it only take s a small slip up

cefboud 9/9/2025||

> malicious code to interfere with cryptocoin transactions

Any idea what the interference was?

jeswin 9/9/2025||

Publishing could require clicking an email confirmation link, sent by npm.

petcat 9/9/2025|

It's all pointless theater because people want less friction to do what they want, not more. They'll just automate away the friction points like clicking an email confirmation link.

jeswin 9/9/2025||

If you're the author of ducklib, and you get an email asking "Did you just publish ducklib 2.4.1?" with a fair number of warnings in the mail text, will you click on the publish link?

I certainly wouldn't. And I don't see it as pointless theater. It requires deliberate action, and that's what's missing here.

polynomial 9/9/2025||

Serious question, how did the attacking site (npmjs.help) know the victim's 2fa? ie. How did they know what phone number to send the 2fa request to?

feross 9/9/2025||

It was a relay. The fake site forwarded actions to the real npm, so the legit 2FA challenge was triggered by npm and the victim entered the code into the phishing page. The attacker captured it and completed the session, then added an API token and pushed malware. Passkeys or FIDO2 would have failed here because the credential is bound to the real domain and will not sign for npmjs.help.

yawaramin 9/10/2025||

And by 'fail' we mean that passkeys would have successfully prevented the attack.

feross 9/10/2025||

Correct!

xx_ns 9/9/2025|||

It acted as a proxy for the real npm site, which was the one to send the request, intercepting the code when the user inserted it.

Berry141 9/14/2025||

[dead]

mediumsmart 9/9/2025|

Comes with the territory considering that npm is defacto the number one enshittification dependency by now. But no worries - this will scale beautifully.

downvotes appreciated but also happy to see one or two urls that would prove me wrong

eviks 9/9/2025||

In the spirit of a substantive discussion could you likewise share a couple that would prove you right?

mediumsmart 9/9/2025||

First of all I have a theory that nothing can be proven but I can't prove it.

Second - an example for a javascript heavy npm utilizing tracking heavy / low content site has not much weight in proving me right - my view is an assumption - 2 examples of shitty tracking SEO AI garbage content blubber sites not using npm would substantially question my assumption... I am genuinely interested in the tech those sites would use instead.

eviks 9/9/2025||

If you have such a theory, how does it make sense to ask others to do the impossible and prove anything???

mediumsmart 9/9/2025||

thats a fortune cookie - please stay on topic :)

hiccuphippo 9/9/2025||

I think the downvotes are because enshittification is a different thing, intentionally done by the developers themselves.

mediumsmart 9/9/2025||

granted but the motivation is payment I think and that originates elsewhere.