[X3D-Ecosystem] Important, most serious npm/npx supply chain attack.

John Carlson yottzumm at gmail.com
Sat Sep 13 16:17:14 PDT 2025 

I've identified several of the affected npm modules in my
pythonSAI/node_modules folder:

ansi-regex/  ansi-styles/  color-convert/  color-name/  debug/  error-ex/
 is-arrayish/  strip-ansi/  wrap-ansi/

Similarly X3DJSONLD/node_modules:

ansi-regex/  ansi-styles/  color-convert/  color-name/  debug/  error-ex/
 is-arrayish/  strip-ansi/  wrap-ansi/

Please be patient, as I will be checking for updates to these modules (I
checked debug, and no one had downloaded the new release!

What I will be trying to do is remove dependencies that rely on these
modules, as I don't think I rely on them directly.

John

On Mon, Sep 8, 2025 at 8:00 PM John Carlson <yottzumm at gmail.com> wrote:

> https://youtu.be/taEIb3xXzjk
> <https://youtu.be/taEIb3xXzjk?si=L6RsGCfQ53J4FE2a>
>
> I have not yet determined whether my packages are affected.  I have one
> published npm (node package manager) module published, “x3dvalidate.”
>
> Here are my x3dvalidate dependencies, which you can certainly check to see
> if they are affected:
>
> "dependencies": {
> "ajv": "*",
> "ajv-formats": "*",
> "ajv-formats-draft2019": "*",
> "ajv-i18n": "*"
> },
>
> I’m guessing there will be many possible versions of packages being
> withdrawn.
>
> Apparently some npm module maintainer fell for some clever phishing email
> that used a icon similar to the npm icon, claiming that 2FA needed to be
> updated.
>
> AFAIK, this is legit, but it’s just some guy, “Matt  Johansen” reporting
> on YouTube.
>
> There’s also reports on Reddit, which say only one user is affected, but
> if any of your dependencies depend on his/her dependencies, you might be
> affected:
>
>
> https://www.reddit.com/r/programming/comments/1nbqt4d/largest_npm_compromise_in_history_supply_chain/
>
> The directly affected packages are listed there.
>
> It mostly appears like this is an attack on cryptocurrency, primarily.  I
> don’t invest in cryptocurrencies.
>
> I will be reviewing emails, and potentially changing dependencies on my
> various node packages, which I’ve been meaning to do for a while, while
> these are on GitHub, I’ve only published the one module to npm.
>
> I don’t know if anyone else in X3D is affected, just be aware of package
> dependencies for any npx programs you execute.  This includes stuff like
> React, Vite, and anyone else using npm and npx.
>
> Primarily, I will be investigating my X3DJSONLD dependencies as found in
> my package-lock.json, listed here:
>
> https://github.com/coderextreme/X3DJSONLD/blob/master/package-lock.json
>
>
> This didn’t really hit the most popular tech news sites, but reporting has
> been done in the Cryptocurrency sites (which I’m just seeing headlines in
> google).
>
> John
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://web3d.org/pipermail/x3d-ecosystem_web3d.org/attachments/20250913/c8ac400e/attachment.html>

More information about the X3D-Ecosystem mailing list