npm stats lag. We observed installs while the malicious versions were live for hours before removal. Affected releases we saw: [email protected], @duckdb/[email protected], @duckdb/[email protected], @duckdb/[email protected]. Same payload as yesterday’s Qix compromise. Recommend pinning and avoiding those versions, reviewing diffs, and considering a temporary policy not to auto-adopt fresh patch releases on critical packages until they age.
npm stats lag. We observed installs while the malicious versions were live for hours before removal. Affected releases we saw: [email protected], @duckdb/[email protected], @duckdb/[email protected], @duckdb/[email protected]. Same payload as yesterday’s Qix compromise. Recommend pinning and avoiding those versions, reviewing diffs, and considering a temporary policy not to auto-adopt fresh patch releases on critical packages until they age.