[X3D-Ecosystem] Important, most serious npm/npx supply chain attack.

John Carlson yottzumm at gmail.com
Sat Sep 13 17:18:55 PDT 2025 

I've done an analysis of packages that use debug in my
X3DJSONLD/node_modules folder:

./body-parser/node_modules/debug
./debug
./engine.io/node_modules/debug
./engine.io-client/node_modules/debug
./express/node_modules/debug
./finalhandler/node_modules/debug
./node-rest-client/node_modules/debug
./send/node_modules/debug
./socket.io/node_modules/debug
./socket.io-adapter/node_modules/debug
./socket.io-client/node_modules/debug
./socket.io-parser/node_modules/debug

I didn't see vulnerable versions, but some were quite old.

Which reminds me, I need to update JSONverse as well.

John

On Sat, Sep 13, 2025 at 7:09 PM John Carlson <yottzumm at gmail.com> wrote:

> Part of the issue was the node-mkdirp module, which included several
> possibly formerly vulnerable modules.
>
> A replacement is
>
> fs.mkdirSync() with:  { recursive: true }
>
> Probably fs.mkdir() would work as well asynchronously.
>
> I've also removed "@prantlf/jsonlint": "*", and "node-gyp": "*",
>
> That pretty much cleaned up pythonSAI.
>
> I do think many people rely on jsonlint to identify where in JSON an issue
> lies.  I will try to make further efforts to identify a safe version of
> jsonlint.
>
> For X3DJSONLD/package.json, I removed these:
>
> $ git diff package.json|grep ^-
> --- a/package.json
> -    "@prantlf/jsonlint": "*",
> -    "glob": "*",
> -    "node-mkdirp": "*",
> -    "x_ite-node": "*",
>
>
> Holger, note that I include x_ite-node...please clean up!
>
> I will try to find a replacement for glob.  Sigh.
>
> I did go back a few versions of debug, namely:
>
> "debug": "4.4.1"
>
> which seems sufficiently safe.
>
>
> John
>
>
> On Sat, Sep 13, 2025 at 6:17 PM John Carlson <yottzumm at gmail.com> wrote:
>
>> I've identified several of the affected npm modules in my
>> pythonSAI/node_modules folder:
>>
>> ansi-regex/  ansi-styles/  color-convert/  color-name/  debug/  error-ex/
>>  is-arrayish/  strip-ansi/  wrap-ansi/
>>
>> Similarly X3DJSONLD/node_modules:
>>
>> ansi-regex/  ansi-styles/  color-convert/  color-name/  debug/  error-ex/
>>  is-arrayish/  strip-ansi/  wrap-ansi/
>>
>> Please be patient, as I will be checking for updates to these modules (I
>> checked debug, and no one had downloaded the new release!
>>
>> What I will be trying to do is remove dependencies that rely on these
>> modules, as I don't think I rely on them directly.
>>
>> John
>>
>> On Mon, Sep 8, 2025 at 8:00 PM John Carlson <yottzumm at gmail.com> wrote:
>>
>>> https://youtu.be/taEIb3xXzjk
>>> <https://youtu.be/taEIb3xXzjk?si=L6RsGCfQ53J4FE2a>
>>>
>>> I have not yet determined whether my packages are affected.  I have one
>>> published npm (node package manager) module published, “x3dvalidate.”
>>>
>>> Here are my x3dvalidate dependencies, which you can certainly check to
>>> see if they are affected:
>>>
>>> "dependencies": {
>>> "ajv": "*",
>>> "ajv-formats": "*",
>>> "ajv-formats-draft2019": "*",
>>> "ajv-i18n": "*"
>>> },
>>>
>>> I’m guessing there will be many possible versions of packages being
>>> withdrawn.
>>>
>>> Apparently some npm module maintainer fell for some clever phishing
>>> email that used a icon similar to the npm icon, claiming that 2FA needed to
>>> be updated.
>>>
>>> AFAIK, this is legit, but it’s just some guy, “Matt  Johansen” reporting
>>> on YouTube.
>>>
>>> There’s also reports on Reddit, which say only one user is affected, but
>>> if any of your dependencies depend on his/her dependencies, you might be
>>> affected:
>>>
>>>
>>> https://www.reddit.com/r/programming/comments/1nbqt4d/largest_npm_compromise_in_history_supply_chain/
>>>
>>> The directly affected packages are listed there.
>>>
>>> It mostly appears like this is an attack on cryptocurrency, primarily.
>>> I don’t invest in cryptocurrencies.
>>>
>>> I will be reviewing emails, and potentially changing dependencies on my
>>> various node packages, which I’ve been meaning to do for a while, while
>>> these are on GitHub, I’ve only published the one module to npm.
>>>
>>> I don’t know if anyone else in X3D is affected, just be aware of package
>>> dependencies for any npx programs you execute.  This includes stuff like
>>> React, Vite, and anyone else using npm and npx.
>>>
>>> Primarily, I will be investigating my X3DJSONLD dependencies as found in
>>> my package-lock.json, listed here:
>>>
>>> https://github.com/coderextreme/X3DJSONLD/blob/master/package-lock.json
>>>
>>>
>>> This didn’t really hit the most popular tech news sites, but reporting
>>> has been done in the Cryptocurrency sites (which I’m just seeing headlines
>>> in google).
>>>
>>> John
>>>
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://web3d.org/pipermail/x3d-ecosystem_web3d.org/attachments/20250913/c05a907f/attachment.html>

More information about the X3D-Ecosystem mailing list