DuckDB npm Account Compromised in Continuing Supply Chain Attack

The ongoing npm supply chain attack that compromised prolific author Qix has now spread to another high-profile maintainer. The npm account duckdb_admin, responsible for DuckDB-related packages, was breached and multiple malicious versions were published. The injected code is the same wallet-drainer malware used in the Qix compromise, strongly indicating this is part of the same campaign.

Affected Packages#

The following packages were published with malware early on September 9, 2025 (UTC):

• duckdb@1.3.3 – ~149k weekly downloads. (published at 2025-09-09 01:13:07am UTC)
• @duckdb/duckdb-wasm@1.29.2 – ~65k weekly downloads. (published at 2025-09-09 01:11:47am UTC)
• @duckdb/node-api@1.3.3 – ~83k weekly downloads. (published at 2025-09-09 01:12:15am UTC)
• @duckdb/node-bindings@1.3.3 – ~72k weekly downloads. (published at 2025-09-09 01:11:13am UTC)

Additional packages were also published with the same payload but have negligible downloads:

• prebid@10.9.1 – published at 04:07:49 UTC
• prebid@10.9.2 – published at 04:11:03 UTC, contained malware in two files instead of one
• @coveops/abi@2.0.1 – published 01:26:04am UTC

These appear to have had very low download counts, but they follow the same attack pattern.

Malicious releases have since been deprecated on npm, though some remained live for hours before removal.

The Malware#

Analysis shows the exact same obfuscated wallet-drainer payload used in the Qix compromise. Once executed in a browser, the code detects connected crypto wallets and installs hooks into fetch, XMLHttpRequest, and wallet provider APIs. It then rewrites transaction data on the fly, replacing legitimate addresses with attacker-controlled ones across multiple chains (Ethereum, Bitcoin, Solana, Tron, Litecoin, Bitcoin Cash).

The obfuscated code shows the exact same pattern as before. In particular, easily recognizable pattern is:

const _0x3ec3bb = {
      'ethereum': /\b0x[a-fA-F0-9]{40}\b/g,
      'bitcoinLegacy': /\b1[a-km-zA-HJ-NP-Z1-9]{25,34}\b/g,
      'bitcoinSegwit': /\b(3[a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[qpzry9x8gf2tvdw0s3jn54khce6mua7l]{11,71})\b/g,
      'tron': /((?<!\w)[T][1-9A-HJ-NP-Za-km-z]{33})/g,
      'bch': /bitcoincash:[qp][a-zA-Z0-9]{41}/g,
      'ltc': /(?<!\w)ltc1[qpzry9x8gf2tvdw0s3jn54khce6mua7l]{11,71}\b/g,
      'ltc2': /(?<!\w)[mlML][a-km-zA-HJ-NP-Z1-9]{25,34}/g,
      'solana': /((?<!\w)[4-9A-HJ-NP-Za-km-z][1-9A-HJ-NP-Za-km-z]{32,44})/g,
      'solana2': /((?<!\w)[3][1-9A-HJ-NP-Za-km-z]{35,44})/g,
      'solana3': /((?<!\w)[1][1-9A-HJ-NP-Za-km-z]{35,44})/g,
    };

This unmistakable pattern makes it easy to recognize across different compromised packages.

Attacker Payout (So Far)#

Despite the wide reach of the packages targeted, on-chain evidence suggests the attackers have not profited significantly. At the time of writing, the wallets tied to this campaign show only around $600 USD in total:

• Ethereum: ~$429 (one address is flagged in a blockchain explorer with the note “There are reports that this address was involved in an NPM exploit”).
• Solana: $44.48 + $2.15.
• Other wallets: Small amounts across Bitcoin, Tron, Bitcoin Cash, and Litecoin.

These low totals suggest that while the campaign was highly disruptive, its financial impact has been limited so far.

Maintainer Compromised via Phishing Email#

The attacker gained access to the duckdb_admin account, which maintains 12 packages. Only the DuckDB-related packages published in the early morning window appear affected.

DuckDB maintainers confirmed they were compromised via the same phishing email that was used for yesterday's supply chain attack.

The DuckDB team shared more detail on how the compromise unfolded, highlighting just how convincing the phishing email and fake npm site appeared:

One of the maintainers read through this text and found it somewhat reasonable. He followed the link (now defunct) to a website hosted under the domain npmjs.help. This website contained a pixel-perfect copy of the npmjs.com website. He logged in using the duckdb_admin user and password, followed by 2FA. Again, the user profile, settings etc. were a perfect copy of the npmjs.com website including all user data. As requested by the email, he then re-set the 2FA setup.

In the background, the copycat website forwarded all actions to the actual npm website, so the 2FA was actually updated there, too. But they also added a new API token, which they then used to publish the malicious package versions. In hindsight, the fact that his browser did not auto-complete the login should have been a red flag. It's painful to spell out, but we fell for a classic phishing attack.

What Developers Should Do#

• Do not install the compromised versions listed above.
• Stick to known safe releases (e.g. duckdb@1.3.4 appears clean, but review before upgrading).
• Audit recent installs for signs of compromise.
• Stay vigilant: this campaign is ongoing and targeting high-profile maintainers.

This is not an isolated copycat incident but a continuation of the same campaign that targeted Qix. The identical malware, timing, and choice of widely used dependencies point to a coordinated effort to maximize reach across the npm ecosystem.

Socket is continuing to monitor and report on this developing situation.

IOCs#

The following npm package versions have been identified as compromised in the latest wave of the Qix phishing campaign:

• @coveops/abi@2.0.1
• @duckdb/duckdb-wasm@1.29.2
• @duckdb/node-api@1.3.3
• @duckdb/node-bindings@1.3.3
• duckdb@1.3.3
• prebid@10.9.1
• prebid@10.9.2