One Hacked Account, Thousands of Projects at Risk: The npm Supply Chain Vulnerability

On September 8-9, 2025, Vercel disclosed a supply chain attack that compromised the duckdb_admin account on npm, the central repository for JavaScript packages. The breach exposed packages used across the DuckDB ecosystem — a tool widely relied on for data analysis and processing tasks.

The incident illustrates a critical vulnerability in how software dependencies work. When an attacker gains access to a high-privilege account like a package administrator's, they can inject malicious code into packages that thousands of downstream projects use without realizing it. Those downstream applications then inherit the compromise automatically, a pattern called transitive dependency risk.

DuckDB's prominence in data engineering made this attack particularly consequential. A single breached credential cascaded across an entire network of dependent software.

What stands out: Vercel's rapid, transparent disclosure of both the breach and its scope. That kind of real-time accountability is increasingly the standard in modern incident response, though it also serves as a stark reminder of how thin the security perimeter around foundational software tools can be.

The broader lesson is familiar to anyone who has tracked software supply chains: centralized package repositories are critical infrastructure, and their security posture directly shapes risk for millions of downstream users.