CVE-2025-59037

Name of the Vulnerable Software and Affected Versions: DuckDB versions 1.3.3 @duckdb/node-api version 1.3.3 @duckdb/node-bindings version 1.3.3 @duckdb/duckdb-wasm version 1.29.2

Description: DuckDB packages distributed for Node.js on npm were compromised with malware intended to interfere with cryptocoin transactions. An attacker published malicious versions of several DuckDB packages. The attack involved a phishing campaign targeting DuckDB administrators, leading to the compromise of npm credentials and the publication of malicious packages. The attacker created a convincing replica of the npm website to steal credentials.

Recommendations: Upgrade @duckdb/node-api to version 1.3.4 or a higher version. Upgrade @duckdb/node-bindings to version 1.3.4 or a higher version. Upgrade duckdb to version 1.3.4 or a higher version. Upgrade @duckdb/duckdb-wasm to version 1.30.0 or a higher version. As a workaround, downgrade @duckdb/node-api to version 1.3.2. As a workaround, downgrade @duckdb/node-bindings to version 1.3.2. As a workaround, downgrade duckdb to version 1.3.2. As a workaround, downgrade @duckdb/duckdb-wasm to version 1.29.1.