The maintainers of the nx construct system have alerted customers to a provide chain assault that allowed attackers to publish malicious variations of the favored npm package deal and different auxiliary plugins with data-gathering capabilities.
“Malicious variations of the nx package deal, in addition to some supporting plugin packages, have been revealed to npm, containing code that scans the file system, collects credentials, and posts them to GitHub as a repo beneath the person’s accounts,” the maintainers stated in an advisory revealed Wednesday.
Nx is an open-source, technology-agnostic construct platform that is designed to handle codebases. It is marketed as an “AI-first construct platform that connects all the things out of your editor to CI [continuous integration].” The npm package deal has over 3.5 million weekly downloads.
The record of affected packages and variations is under. These variations have since been faraway from the npm registry. The compromise of the nx package deal passed off on August 26, 2025.
- nx 21.5.0, 20.9.0, 20.10.0, 21.6.0, 20.11.0, 21.7.0, 21.8.0, 20.12.0
- @nx/devkit 21.5.0, 20.9.0
- @nx/enterprise-cloud 3.2.0
- @nx/eslint 21.5.0
- @nx/js 21.5.0, 20.9.0
- @nx/key 3.2.0
- @nx/node 21.5.0, 20.9.0
- @nx/workspace 21.5.0, 20.9.0
The undertaking maintainers stated the basis reason behind the problem stemmed from a susceptible workflow added on August 21, 2025, that launched the power to inject executable code utilizing a specifically crafted title in a pull request (PR). Whereas the workflow was reverted within the “grasp” department “nearly instantly” after it discovered to be exploitable in a malicious context, the menace actor is assessed to have made a PR focusing on an outdated department that also contained the workflow to launch the assault.
“The pull_request_target set off was used as a solution to set off the motion to run at any time when a PR was created or modified,” the nx group stated. “Nonetheless, what was missed is the warning that this set off, not like the usual pull_request set off, runs workflows with elevated permissions, together with a GITHUB_TOKEN which has learn/write repository permission.”
It is believed the GITHUB_TOKEN was utilized to set off the “publish.yml” workflow, which is chargeable for publishing the nx packages to the registry utilizing an npm token.
However with the PR validation workflow operating with elevated privileges, the “publish.yml workflow” is triggered to run on the “nrwl/nx” repository whereas additionally introducing malicious modifications that made it doable to exfiltrate the npm token to an attacker-controlled webhook[.]web site endpoint.
“As a part of the bash injection, the PR validation workflows triggered a run of the publish.yml with this malicious commit and despatched our npm token to an unfamiliar webhook,” the nx group defined. “We consider that is how the person received a maintain of the npm token used to publish the malicious variations of nx.”
In different phrases, the injection flaw enabled arbitrary command execution if a malicious PR title was submitted, whereas the pull_request_target set off granted elevated permissions by offering a GITHUB_TOKEN with learn/write entry to the repository.
The rogue variations of the packages have been discovered to comprise a postinstall script that is activated after package deal set up to scan a system for textual content information, accumulate credentials, and ship the main points as a Base64-encoded string to a publicly accessible GitHub repository containing the title “s1ngularity-repository” (or “s1ngularity-repository-0” and “s1ngularity-repository-1”) beneath the person’s account.
“The malicious postinstall script additionally modified the .zshrc and .bashrc information that are run at any time when a terminal is launched to incorporate sudo shutdown -h 0 which immediate customers for his or her system password and if supplied, would shut down the machine instantly,” the maintainers added.
Whereas GitHub has since began to archive these repositories, customers who encounter the repositories are suggested to imagine compromise and rotate GitHub and npm credentials and tokens. Customers are additionally advisable to cease utilizing the malicious packages and examine .zshrc and .bashrc information for any unfamiliar directions and take away them.
 |
| Picture Supply: GitGuardian |
The nx group stated they’ve additionally undertaken remedial actions by rotating their npm and GitHub tokens, auditing GitHub and npm actions throughout the group for suspicious actions, and updating Publish entry for nx to require two-factor authentication (2FA) or automation.
Wiz researchers Merav Bar and Rami McCarthy stated 90% of over 1,000 leaked GitHub tokens are nonetheless legitimate, and that there additionally exist dozens of official cloud credentials and npm tokens. It is stated the malware was run on developer machines, usually by way of the nx Visible Studio Code extension. As many as 1,346 repositories with the string “s1ngularity-repository” have been detected by GitGuardian.
Among the many 2,349 distinct secrets and techniques leaked, the overwhelming majority of them account for GitHub OAuth keys and private entry tokens (PATs), adopted by API keys and credentials for Google AI, OpenAI, Amazon Internet Providers, OpenRouter, Anthropic Claude, PostgreSQL, and Datadog.
The cloud safety agency discovered that the payload is able to operating solely on Linux and macOS methods, systematically trying to find delicate information and extracting credentials, SSH keys, and .gitconfig information.
“Notably, the marketing campaign weaponized put in AI CLI instruments by prompting them with harmful flags (–dangerously-skip-permissions, –yolo, –trust-all-tools) to steal file system contents, exploiting trusted instruments for malicious reconnaissance,” the corporate stated.
StepSecurity stated the incident marks the primary identified case the place attackers have turned developer AI assistants like Claude Code, Google Gemini CLI, and Amazon Q CLI into instruments for provide chain exploitation and bypass conventional safety boundaries.
“There are a number of variations between the malware within the scoped nx packages (i.e. @nx/devkit, @nx/eslint) versus the malware within the nx package deal,” Socket stated. “First, the AI immediate is totally different. In these packages, the AI immediate is a little more fundamental. This LLM immediate can be a lot much less broad in scope, focusing on crypto-wallet keys and secret patterns in addition to particular directories, whereas those in @nx grabs any fascinating textual content file.”
Charlie Eriksen of Aikido stated using LLM shoppers as a vector for enumerating secrets and techniques on the sufferer machine is a novel method, and provides defenders perception into the path the attackers could also be heading sooner or later.
“Given the recognition of the nx ecosystem, and the novelty of AI device abuse, this incident highlights the evolving sophistication of provide chain assaults,” StepSecurity’s Ashish Kurmi stated. “Rapid remediation is vital for anybody who put in the compromised variations.”
Replace
Wiz, in a follow-up replace on August 28, 2025, stated it recognized a second assault wave, and that it “noticed over 190 customers/organisations that have been impacted, and over 3000 repositories.”
“An attacker seems to be utilizing compromised GitHub tokens to show personal repositories public and rename them to the sample s1ngularity-repository-#5letters#,” the corporate stated.
Wiz instructed The Hacker Information that it can not affirm if the brand new wave is the work of the identical attacker, and it is doable for an additional menace actor to piggyback on the sooner marketing campaign to conduct malicious actions of their selecting.
“Given the primary assault leaked tokens publicly, one other actor might have accessed them through the publicity window and be leveraging them for this second wave. We’ll be aware that solely a small subset of the (nonetheless legitimate!) leaked Github Tokens have been abused for this second wave,” the corporate stated.
StepSecurity, which additionally flagged the second wave, stated the attackers, in addition to exploiting compromised credentials to make beforehand personal group repositories public, are additionally creating forks of these repositories to make sure that the info is preserved even after the unique repositories are secured.
GitGuardian’s evaluation has additionally revealed that 33% of the compromised methods had at the very least one LLM consumer put in, underscoring the menace actor’s concentrate on AI improvement instruments. About 85% of contaminated methods have been discovered to run Apple macOS.
“Deal with native AI coding brokers like another privileged automation: limit file and community entry, overview usually, and do not blindly run AI coding brokers’ CLIs in YOLO modes,” Snyk stated. “This incident exhibits how simple it’s to flip AI coding assistants’ CLIs into malicious autonomous brokers when guardrails are disabled.”
(The story was up to date after publication to replicate the most recent developments.)
