npm package
duckdb
pkg:npm/duckdb
Malware
2 malicious versions on record
One or more versions of this package have been flagged as containing malicious code. Audit any system that installed an affected version.
- GHSA-m63q-rrxf-h93gDuplicate Advisory: Malware in duckdbSep 9, 2025
- MAL-2025-46994Malicious code in duckdb (npm)Sep 9, 2025
Vulnerabilities (1)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-59037 | Hig | — | >= 1.3.3, < 1.3.4 | 1.3.4 | Sep 9, 2025 | DuckDB is an analytical in-process SQL database management system. On 08 September 2025, the DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of DuckDB's packages that included mali |
- affected >= 1.3.3, < 1.3.4fixed 1.3.4
DuckDB is an analytical in-process SQL database management system. On 08 September 2025, the DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of DuckDB's packages that included mali