[X3D-Ecosystem] Important, most serious npm/npx supply chain attack.

John Carlson yottzumm at gmail.com
Mon Sep 8 18:00:49 PDT 2025 

https://youtu.be/taEIb3xXzjk
<https://youtu.be/taEIb3xXzjk?si=L6RsGCfQ53J4FE2a>

I have not yet determined whether my packages are affected.  I have one
published npm (node package manager) module published, “x3dvalidate.”

Here are my x3dvalidate dependencies, which you can certainly check to see
if they are affected:

"dependencies": {
"ajv": "*",
"ajv-formats": "*",
"ajv-formats-draft2019": "*",
"ajv-i18n": "*"
},

I’m guessing there will be many possible versions of packages being
withdrawn.

Apparently some npm module maintainer fell for some clever phishing email
that used a icon similar to the npm icon, claiming that 2FA needed to be
updated.

AFAIK, this is legit, but it’s just some guy, “Matt  Johansen” reporting on
YouTube.

There’s also reports on Reddit, which say only one user is affected, but if
any of your dependencies depend on his/her dependencies, you might be
affected:

https://www.reddit.com/r/programming/comments/1nbqt4d/largest_npm_compromise_in_history_supply_chain/

The directly affected packages are listed there.

It mostly appears like this is an attack on cryptocurrency, primarily.  I
don’t invest in cryptocurrencies.

I will be reviewing emails, and potentially changing dependencies on my
various node packages, which I’ve been meaning to do for a while, while
these are on GitHub, I’ve only published the one module to npm.

I don’t know if anyone else in X3D is affected, just be aware of package
dependencies for any npx programs you execute.  This includes stuff like
React, Vite, and anyone else using npm and npx.

Primarily, I will be investigating my X3DJSONLD dependencies as found in my
package-lock.json, listed here:

https://github.com/coderextreme/X3DJSONLD/blob/master/package-lock.json


This didn’t really hit the most popular tech news sites, but reporting has
been done in the Cryptocurrency sites (which I’m just seeing headlines in
google).

John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://web3d.org/pipermail/x3d-ecosystem_web3d.org/attachments/20250908/780cff25/attachment.html>

More information about the X3D-Ecosystem mailing list