[X3D-Ecosystem] Important, most serious npm/npx supply chain attack.

Mon Sep 8 18:34:57 PDT 2025

https://www.securityalliance.org/news/2025-09-npm-supply-chain

This provides what appears to be useful information to check on your
machine,  I’m personally going to check

$ grep -R checkethereumw in my home folder.

One needs to check any node_modules folders and npm cache.

The attack is JavaScript attack that allows mutable variables to be
replaced, particularly in the window scope.  I encourage myself and others
to make variables “const” to avoid such replacement in the browser.

For example, one might replace fetch(), a popular way to download JSON,
etc. from websites, such that all fetches from that page are scanned for
cryptocurrency sites.

John

On Mon, Sep 8, 2025 at 8:00 PM John Carlson <yottzumm at gmail.com> wrote:

> https://youtu.be/taEIb3xXzjk
> <https://youtu.be/taEIb3xXzjk?si=L6RsGCfQ53J4FE2a>
>
> I have not yet determined whether my packages are affected.  I have one
> published npm (node package manager) module published, “x3dvalidate.”
>
> Here are my x3dvalidate dependencies, which you can certainly check to see
> if they are affected:
>
> "dependencies": {
> "ajv": "*",
> "ajv-formats": "*",
> "ajv-formats-draft2019": "*",
> "ajv-i18n": "*"
> },
>
> I’m guessing there will be many possible versions of packages being
> withdrawn.
>
> Apparently some npm module maintainer fell for some clever phishing email
> that used a icon similar to the npm icon, claiming that 2FA needed to be
> updated.
>
> AFAIK, this is legit, but it’s just some guy, “Matt  Johansen” reporting
> on YouTube.
>
> There’s also reports on Reddit, which say only one user is affected, but
> if any of your dependencies depend on his/her dependencies, you might be
> affected:
>
>
> https://www.reddit.com/r/programming/comments/1nbqt4d/largest_npm_compromise_in_history_supply_chain/
>
> The directly affected packages are listed there.
>
> It mostly appears like this is an attack on cryptocurrency, primarily.  I
> don’t invest in cryptocurrencies.
>
> I will be reviewing emails, and potentially changing dependencies on my
> various node packages, which I’ve been meaning to do for a while, while
> these are on GitHub, I’ve only published the one module to npm.
>
> I don’t know if anyone else in X3D is affected, just be aware of package
> dependencies for any npx programs you execute.  This includes stuff like
> React, Vite, and anyone else using npm and npx.
>
> Primarily, I will be investigating my X3DJSONLD dependencies as found in
> my package-lock.json, listed here:
>
> https://github.com/coderextreme/X3DJSONLD/blob/master/package-lock.json
>
>
> This didn’t really hit the most popular tech news sites, but reporting has
> been done in the Cryptocurrency sites (which I’m just seeing headlines in
> google).
>
> John
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://web3d.org/pipermail/x3d-ecosystem_web3d.org/attachments/20250908/80440e56/attachment.html>