The maintainers of the Nx build system have recently disclosed a significant supply chain attack that compromised several versions of the popular npm package and its auxiliary plugins. This breach enabled attackers to publish malicious versions of these packages, embedding code designed to scan file systems, collect sensitive credentials, and upload them to GitHub repositories under the affected users’ accounts.
Nx is an open-source, technology-agnostic build platform tailored for managing codebases. It is promoted as an AI-first build platform that connects everything from your editor to CI [continuous integration]. The npm package boasts over 3.5 million weekly downloads, underscoring its widespread adoption and the potential impact of this attack.
Affected Packages and Versions:
The following packages and their respective versions were identified as compromised. These versions have since been removed from the npm registry:
– nx: 21.5.0, 20.9.0, 20.10.0, 21.6.0, 20.11.0, 21.7.0, 21.8.0, 20.12.0
– @nx/devkit: 21.5.0, 20.9.0
– @nx/enterprise-cloud: 3.2.0
– @nx/eslint: 21.5.0
– @nx/js: 21.5.0, 20.9.0
– @nx/key: 3.2.0
– @nx/node: 21.5.0, 20.9.0
– @nx/workspace: 21.5.0, 20.9.0
The compromise of the Nx package was identified on August 26, 2025.
Root Cause Analysis:
The breach originated from a vulnerable workflow introduced on August 21, 2025. This workflow inadvertently allowed the execution of arbitrary code through specially crafted pull request (PR) titles. Although the workflow was promptly reverted in the master branch upon recognizing its exploitability, the attacker exploited an outdated branch that still contained the vulnerable workflow to initiate the attack.
The Nx team explained that the `pull_request_target` trigger was employed to activate actions whenever a PR was created or modified. However, this trigger, unlike the standard `pull_request` trigger, operates with elevated permissions, including a `GITHUB_TOKEN` with read/write repository access.
It is believed that the attacker utilized this `GITHUB_TOKEN` to activate the publish.yml workflow, responsible for publishing Nx packages to the npm registry using an npm token. By exploiting the elevated privileges of the PR validation workflow, the attacker was able to run the publish.yml workflow on the nrwl/nx repository, introducing malicious changes that facilitated the exfiltration of the npm token to an attacker-controlled endpoint.
In essence, the injection flaw permitted arbitrary command execution when a malicious PR title was submitted, while the `pull_request_target` trigger provided elevated permissions by supplying a `GITHUB_TOKEN` with read/write access to the repository.
Malicious Payload and Impact:
The compromised package versions contained a `postinstall` script that activated upon package installation. This script scanned the system for text files, collected credentials, and transmitted the data as a Base64-encoded string to publicly accessible GitHub repositories named s1ngularity-repository, s1ngularity-repository-0, or s1ngularity-repository-1 under the affected user’s account.
Additionally, the malicious `postinstall` script modified the `.zshrc` and `.bashrc` files, which are executed whenever a terminal is launched. The modifications included the command `sudo shutdown -h 0`, prompting users for their system password and, if provided, immediately shutting down the machine.
Security researchers from Wiz, Merav Bar and Rami McCarthy, reported that 90% of over 1,000 leaked GitHub tokens remain valid, along with numerous valid cloud credentials and npm tokens. The malware was often executed on developer machines via the Nx Visual Studio Code extension. GitGuardian detected approximately 1,346 repositories containing the string s1ngularity-repository.
Among the 2,349 distinct secrets leaked, the majority were GitHub OAuth keys and personal access tokens (PATs), followed by API keys and credentials for Google AI, OpenAI, Amazon Web Services, OpenRouter, Anthropic Claude, PostgreSQL, and Datadog.
The payload was capable of operating on Linux and macOS systems, systematically searching for sensitive files and extracting credentials, SSH keys, and `.gitconfig` files.
Notably, the campaign exploited installed AI command-line interface (CLI) tools by prompting them with dangerous flags (`–dangerously-skip-permissions`, `–yolo`, `–trust-all-tools`) to steal file system contents, leveraging trusted tools for malicious reconnaissance.
StepSecurity highlighted that this incident marks the first known case where attackers have transformed developer AI assistants like Claude, Google Gemini, and Amazon Q into tools for supply chain exploitation, effectively bypassing traditional security boundaries.
Socket noted differences between the malware in the scoped Nx packages (e.g., `@nx/devkit`, `@nx/eslint`) and the malware in the `nx` package. The AI prompt in the scoped packages was more basic and targeted specific directories, whereas the prompt in `@nx` was broader, capturing any interesting text file.
Charlie Eriksen of Aikido observed that using large language model (LLM) clients as a vector for enumerating secrets on victim machines is a novel approach, providing defenders insight into potential future attack directions.
Given the popularity of the Nx ecosystem and the novelty of AI tool abuse, this incident underscores the evolving sophistication of supply chain attacks. Immediate remediation is critical for anyone who installed the compromised versions.
Remediation and Recommendations:
Users who have installed the affected packages are advised to:
1. Cease Usage: Immediately stop using the compromised package versions.
2. Credential Rotation: Assume compromise and rotate GitHub and npm credentials and tokens.
3. File Inspection: Examine `.zshrc` and `.bashrc` files for any unfamiliar instructions and remove them.
The Nx team has undertaken several remedial actions, including:
– Rotating their npm and GitHub tokens.
– Auditing GitHub and npm activities across the organization for suspicious activities.
– Updating publish access for Nx to require two-factor authentication (2FA) or automation.
This incident serves as a stark reminder of the vulnerabilities inherent in software supply chains and the importance of vigilant security practices.
