DuckDB npm Account Compromised in Continuing Supply Chain Attack

Two high-profile npm maintainers — prolific author Qix and duckdb_admin (DuckDB-related packages) — were compromised in a coordinated supply-chain campaign that published malicious package versions containing the same obfuscated wallet-drainer payload. The malicious code hooks browser wallet APIs and network calls to rewrite transaction addresses across multiple chains, while on-chain analysis shows only minor attacker payouts so far. #Qix #duckdb_admin

Keypoints

The npm account duckdb_admin was breached and multiple DuckDB-related package versions published with wallet-drainer malware on September 9, 2025 (UTC).
Analysis reveals the exact same obfuscated wallet-drainer payload used in the earlier Qix compromise, indicating the same campaign is responsible.
The injected script detects connected crypto wallets and hooks fetch, XMLHttpRequest, and wallet provider APIs to rewrite transaction addresses for Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash.
Malicious releases were available on npm for hours before being deprecated and removed; some packages had high downloads while others had negligible counts.
On-chain tracking shows limited attacker profit to date (~$600 total across several chains), suggesting minimal financial success so far.
The duckdb_admin compromise was achieved via a convincing phishing email directing a maintainer to a pixel-perfect fake site (npmjs.help) that forwarded actions to the real site while capturing tokens and adding an API token.
Developers are advised not to install the compromised versions, to stick to reviewed safe releases (e.g., [email protected] appears clean), audit recent installs, and remain vigilant as the campaign continues.

MITRE Techniques

[T1566 ] Phishing – Attacker sent a convincing phishing email linking to a fake npm site that captured credentials and 2FA, described as: “he followed the link (now defunct) to a website hosted under the domain npmjs.help. This website contained a pixel-perfect copy of the npmjs.com website… He logged in using the duckdb_admin user and password, followed by 2FA.”
[T1583 ] Acquire Infrastructure – Attacker used the domain npmjs.help as a fake infrastructure to host a copycat npm site that proxied actions to the real site and captured token information. Quoted: “This website contained a pixel-perfect copy of the npmjs.com website… the copycat website forwarded all actions to the actual npm website.”
[T1078 ] Valid Accounts – Attacker used the compromised duckdb_admin npm account and added a new API token to publish malicious package versions. Quoted: “They also added a new API token, which they then used to publish the malicious package versions.”
[T1598 ] Phishing for Information – The fake site tricked the maintainer into resetting 2FA and performing actions that disclosed authentication artifacts. Quoted: “As requested by the email, he then re-set the 2FA setup… the copycat website forwarded all actions… they also added a new API token.”
[T1553 ] Subvert Trust Controls – Attacker published malicious versions of trusted npm packages to subvert software supply chain trust and distribute wallet-draining payloads. Quoted: “Malicious releases have since been deprecated on npm, though some remained live for hours before removal.”
[T1204 ] User Execution – The malicious payload required execution in a browser environment when developers or users installed and ran affected packages, enabling the wallet-drainer to operate. Quoted: “Once executed in a browser, the code detects connected crypto wallets and installs hooks into fetch, XMLHttpRequest, and wallet provider APIs.”
[T1059 ] Command and Scripting Interpreter – Obfuscated JavaScript payload executed in-browser to modify network calls and transaction data; recognizable pattern shown in code snippet. Quoted: “The obfuscated code shows the exact same pattern as before… const _0x3ec3bb = { ‘ethereum’: /b0x[a-fA-F0-9]{40}b/g, … }”

Indicators of Compromise

[npm package versions] Compromised package releases published by duckdb_admin – examples: (specific malicious versions published on September 9, 2025) and other affected versions (exact list omitted in article).
[Domain] Phishing infrastructure – npmjs.help (fake npm site used to capture credentials and 2FA and to add API token).
[JavaScript code pattern] Obfuscated wallet-drainer payload – recognizable regex patterns matching crypto addresses (e.g., Ethereum: b0x[a-fA-F0-9]{40}b, Solana patterns), indicating same payload as Qix compromise.
[Blockchain addresses] Attacker wallet addresses (on-chain receipts) – examples: Ethereum address flagged in explorer (~$429), Solana wallets (~$44.48 + $2.15), and small amounts across Bitcoin, Tron, Bitcoin Cash, and Litecoin.