The ongoing npm supply chain attack that compromised prolific author Qix has now spread to another high-profile maintainer. The npm account duckdb_admin, responsible for DuckDB-related packages, was breached and multiple malicious versions were published. The injected code is the same wallet-drainer malware used in the Qix compromise, strongly indicating this is part of the same campaign.Affected Packages#The following packages were published with malware early on September 9, 2025 (UTC):duckdb@...