[X3D-Ecosystem] Important, most serious npm/npx supply chain attack.

Mon Sep 8 20:12:32 PDT 2025

I’m not seeing that x3dvalidate got new versions recently, so likely
there’s no issue with it.  To be on the safe side, go with version
9.0.1 perhaps:

https://www.npmjs.com/package/x3dvalidate

$ npx x3dvalidate at 9.0.1 file1.x3dj file2.x3dj …

Unless you need the latest features!

Probably there will be an alternative way to check X3D JSON when the
standard gets released, depending on whether a JSON schema  standard is
released (in other words, never).   For those requiring alternative schema
validation now, I suggest looking into X3DJSONLD.* and validating the
result DOM against the XML schema.   Various X3DJSONLD JSON to DOM
Converters exist for JavaScript, Java, C, and Pascal.  If sufficient
pressure is placed on me, I will create a schema validator in python which
doesn’t use x3d.py/X3DPSAIL, yet validates JSON against XML Schema.  Please
indicate your interest.  I’m guessing XML schema validation will outperform
JSON schema validation in Python.  Python validation against JSON schema
has been done, but it’s not performant as JavaScript, so I typically test
with the latter.  Since JSON schema has been deprecated until further
notice, it might be wise to use X3DJSONLD to convert to XML or DOM for
validation.

Java already has something to validate X3D JSON against XML schema, that’s
where I would look first, if not X3DJSAIL’s DOM Loader being used with
X3DJSONLD.java.  I haven’t built something to validate JavaScript DOM
against XML schema yet, but I can serialize to XML, and validate against
XML schema, most likely.   Mostly, I use DOM to XML serialization to
compare roundtrip conversions from XML to JSON to DOM.

Note that there are missing features in X3dToJson.xslt which might be
addressed later this year, I am going with Holger’s x3d-tidy in the short
term as I am exercising Material nodes which aren’t mapped well yet in
X3dToJson.xlst.  For those on the leading edge, see how the SFNodes in

https://www.web3d.org/specifications/X3Dv4/ISO-IEC19775-1v4-IS/Part01/components/shape.html#Material

are mapped to JSON with X3dToJson.xslt.  AFAIK, the SFNodes should be
mapped to JSON objects, not JSON arrays, those are for MFNodes. Obviously,
if one is validating the DOM against XML schema is done, perhaps important
stuff like array versus object is swept under the covers?  IDK.

Note that X3DJSONLD is not affiliated with JSON-LD.  The former is a JSON
loader (hence the LD) and has nothing to do with linked data.

John

On Mon, Sep 8, 2025 at 8:00 PM John Carlson <yottzumm at gmail.com> wrote:

> https://youtu.be/taEIb3xXzjk
> <https://youtu.be/taEIb3xXzjk?si=L6RsGCfQ53J4FE2a>
>
> I have not yet determined whether my packages are affected.  I have one
> published npm (node package manager) module published, “x3dvalidate.”
>
> Here are my x3dvalidate dependencies, which you can certainly check to see
> if they are affected:
>
> "dependencies": {
> "ajv": "*",
> "ajv-formats": "*",
> "ajv-formats-draft2019": "*",
> "ajv-i18n": "*"
> },
>
> I’m guessing there will be many possible versions of packages being
> withdrawn.
>
> Apparently some npm module maintainer fell for some clever phishing email
> that used a icon similar to the npm icon, claiming that 2FA needed to be
> updated.
>
> AFAIK, this is legit, but it’s just some guy, “Matt  Johansen” reporting
> on YouTube.
>
> There’s also reports on Reddit, which say only one user is affected, but
> if any of your dependencies depend on his/her dependencies, you might be
> affected:
>
>
> https://www.reddit.com/r/programming/comments/1nbqt4d/largest_npm_compromise_in_history_supply_chain/
>
> The directly affected packages are listed there.
>
> It mostly appears like this is an attack on cryptocurrency, primarily.  I
> don’t invest in cryptocurrencies.
>
> I will be reviewing emails, and potentially changing dependencies on my
> various node packages, which I’ve been meaning to do for a while, while
> these are on GitHub, I’ve only published the one module to npm.
>
> I don’t know if anyone else in X3D is affected, just be aware of package
> dependencies for any npx programs you execute.  This includes stuff like
> React, Vite, and anyone else using npm and npx.
>
> Primarily, I will be investigating my X3DJSONLD dependencies as found in
> my package-lock.json, listed here:
>
> https://github.com/coderextreme/X3DJSONLD/blob/master/package-lock.json
>
>
> This didn’t really hit the most popular tech news sites, but reporting has
> been done in the Cryptocurrency sites (which I’m just seeing headlines in
> google).
>
> John
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://web3d.org/pipermail/x3d-ecosystem_web3d.org/attachments/20250908/f298a9a7/attachment-0001.html>