Breached npm Admin Credentials Cascade Across DuckDB Ecosystem

On September 8-9, 2025, Vercel documented a critical npm supply chain attack targeting the duckdb_admin account, compromising DuckDB-related packages. The incident revealed how a single breached administrative credential can propagate across entire dependency networks. DuckDB, widely adopted in data engineering workflows, serves as critical infrastructure for analytical processing. The attack pattern demonstrates the vulnerability of package management systems to high-privilege account compromise, where downstream applications face exposure through transitive dependencies. The real-time disclosure highlighted both the cascading risk model and modern incident response transparency.