[x3d-public] NPM has malware?

John Carlson yottzumm at gmail.com
Thu Jul 22 03:19:54 PDT 2021

Found more info here:


Appears to be a Windows only issue.

I would remove "bin" configuration options from your package.json if you 


On 7/22/21 5:08 AM, John Carlson wrote:
> Apparently, there's some kind of malware in the NPM (node.js package 
> manager) repository?  Some AI reported a lot of malware. I don't see 
> much in depth analysis.  Some of the malware appears to steal your 
> browser passwords? I see "HackTool:Win32/ChromePass"
> If you want more "detail," I'll send what I have.  My info comes from 
> subscribing to a website. Please let me know what you hear from other 
> sources, since I want to confirm this before I move away from npm 
> packages.
> I would at a minimum, run your antivirus against your node_modules 
> folders.
> I feel that it's important for people to know who have downloaded my 
> software.
> My guess is they'll mark the packages as having malware, and people 
> who ran the malware will need to update their passwords.
> John

More information about the x3d-public mailing list