<div dir="ltr">I've identified several of the affected npm modules in my pythonSAI/node_modules folder:<div><br></div><div>ansi-regex/ ansi-styles/ color-convert/ color-name/ debug/ error-ex/ is-arrayish/ strip-ansi/ wrap-ansi/</div><div><br></div><div>Similarly X3DJSONLD/node_modules:</div><div><br></div><div>ansi-regex/ ansi-styles/ color-convert/ color-name/ debug/ error-ex/ is-arrayish/ strip-ansi/ wrap-ansi/</div><div><br></div><div>Please be patient, as I will be checking for updates to these modules (I checked debug, and no one had downloaded the new release!</div><div><br></div><div>What I will be trying to do is remove dependencies that rely on these modules, as I don't think I rely on them directly.</div><div><br></div><div>John</div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Mon, Sep 8, 2025 at 8:00 PM John Carlson <<a href="mailto:yottzumm@gmail.com">yottzumm@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto"><a href="https://youtu.be/taEIb3xXzjk?si=L6RsGCfQ53J4FE2a" target="_blank">https://youtu.be/taEIb3xXzjk</a></div><div dir="auto"><br></div><div dir="auto">I have not yet determined whether my packages are affected. I have one published npm (node package manager) module published, “x3dvalidate.”</div><div dir="auto"><br></div><div dir="auto">Here are my x3dvalidate dependencies, which you can certainly check to see if they are affected:</div><div dir="auto"><br></div><div dir="auto"><div> "dependencies": {<br> "ajv": "*",<br> "ajv-formats": "*",<br> "ajv-formats-draft2019": "*",<br> "ajv-i18n": "*"<br> },</div><div dir="auto"><br></div><div dir="auto">I’m guessing there will be many possible versions of packages being withdrawn.</div><div dir="auto"><br></div><div dir="auto">Apparently some npm module maintainer fell for some clever phishing email that used a icon similar to the npm icon, claiming that 2FA needed to be updated.</div><div dir="auto"><br></div><div dir="auto">AFAIK, this is legit, but it’s just some guy, “Matt Johansen” reporting on YouTube.</div><div dir="auto"><br></div><div dir="auto">There’s also reports on Reddit, which say only one user is affected, but if any of your dependencies depend on his/her dependencies, you might be affected:</div><div dir="auto"><br></div><div dir="auto"><div><a href="https://www.reddit.com/r/programming/comments/1nbqt4d/largest_npm_compromise_in_history_supply_chain/" target="_blank">https://www.reddit.com/r/programming/comments/1nbqt4d/largest_npm_compromise_in_history_supply_chain/</a></div><br></div><div dir="auto">The directly affected packages are listed there.</div><div dir="auto"><br></div><div dir="auto">It mostly appears like this is an attack on cryptocurrency, primarily. I don’t invest in cryptocurrencies.</div><div dir="auto"><br></div><div dir="auto">I will be reviewing emails, and potentially changing dependencies on my various node packages, which I’ve been meaning to do for a while, while these are on GitHub, I’ve only published the one module to npm.</div><div dir="auto"><br></div><div dir="auto">I don’t know if anyone else in X3D is affected, just be aware of package dependencies for any npx programs you execute. This includes stuff like React, Vite, and anyone else using npm and npx.</div><div dir="auto"><br></div><div dir="auto">Primarily, I will be investigating my X3DJSONLD dependencies as found in my package-lock.json, listed here:</div><div dir="auto"><br></div><div dir="auto"><div><a href="https://github.com/coderextreme/X3DJSONLD/blob/master/package-lock.json" target="_blank">https://github.com/coderextreme/X3DJSONLD/blob/master/package-lock.json</a></div><br></div><div dir="auto"><br></div><div dir="auto">This didn’t really hit the most popular tech news sites, but reporting has been done in the Cryptocurrency sites (which I’m just seeing headlines in google).</div><div dir="auto"><br></div><div dir="auto">John</div><div dir="auto"><br></div><br></div>
</blockquote></div>