Maintainers of NX build systems are warning users of supply chain attacks to allow attackers to expose malicious versions of popular NPM packages and other auxiliary plugins with data collection capabilities.
“Malicious versions of the NX packages, along with some supporting plugin packages, will be published to NPM, scan the file system, collect credentials, and post them on GitHub as a repository under the user’s account,” the maintainer said in an advisory published Wednesday.
NX is an open source, technology-independent build platform designed to manage your codebase. It is promoted as an AI first build platform that connects everything from editors to CIs [continuous integration]. “The NPM package has over 3.5 million downloads per week.
A list of affected packages and versions can be found below. These versions were subsequently removed from the NPM registry. The NX package compromise was made on August 26, 2025.
NX 21.5.0, 20.9.0, 20.10.0, 21.6.0, 20.11.0, 21.7.0, 21.8.0, 20.12.0 @nx/devkit 21.5.0, 20.9.0 @nx/enterprise-cloud 3.2.0 @nx/eslint 21.5.0 @nx/js 21.5.0, 20.9.2.0 @nx/nx/ 21.5.0, 20.9.0 @nx/workspace 21.5.0, 20.9.0
The project maintainer said the root cause of this issue was due to a vulnerable workflow that introduced the ability to inject executability code using a title specifically created in a pull request (PR).
“The PULL_REQUEST_TARGET trigger was used as a way to trigger an action to take whenever a PR was created or modified,” the NX team said. “However, what was missed is the warning that this trigger runs a more authoritative workflow, unlike the standard Pull_Request trigger, which includes Github_token that reads/writes repository permissions.”
Github_token is believed to have been used to trigger the “Publish.yml” workflow, which is responsible for using NPM tokens to publish NX packages to the registry.
However, because the PR verification workflow is running with high privileges, it also introduces malicious changes that will trigger the Publish.yml workflow to run in the NRWL/NX repository, allowing attacker-controlled webhooks to filter out NPM tokens.[.]Site endpoint.
“As part of the Bash Injection, the PR verification workflow triggered the execution of publish.yml with this malicious commit and sent the NPM token to an unfamiliar webhook,” explained the NX team. “I believe this is how users got the NPM tokens used to expose malicious versions of NX.”
In other words, the injection flaw allowed the execution of any command if a malicious PR title was submitted, and the Pull_Request_Target trigger granted the increased permissions by providing GITHUB_TOKEN with read/write access to the repository.
I found that the Rogue version of the package contains a post-install script that was activated after the package installation. Scans the system for text files, collects credentials, and sends the base64-encoded string to a publishable github repository that includes “S1ngularity-Repository” (or “s1ngularity-repository-0” “”s1ngularity-repository-ing-ngi-repository-0” “”s1ngularity-repository-ing-ngi-repository-0″”s1ngularity-repository” and “s1ngularity-repository” and “s1ngularity-repository” and “s1ngularity-repository”). User’s account.
“The malicious PostInstall script will also change the .zshrc and .bashrc files that run every time the terminal starts up, and will change -h 0 with sudo shutdown -h 0, prompt a user with the system password, and shut down the machine immediately if provided,” the maintainer added.
Github has since started archiving these repositories, but users who run into the repository are encouraged to compromise and spin their Github and NPM credentials and tokens. It is also recommended that users stop using malicious packages and check and delete the .zshrc and .bashrc files for unfamiliar instructions.
The NX team said they have implemented corrective action by rotating NPM and GitHub tokens, auditing GitHub and NPM activities across the organization for suspicious activity, and updating NX’s publish access to require two-factor authentication (2FA) or automation.
Wiz Researchers Merav Bar and Rami McCarthy said 90% of the over 1,000 leaked Github tokens are still valid, with dozens of valid cloud credentials and NPM tokens still valid. Malware is said to have been run on developer machines in many cases via NX Visual Studio code extensions. Up to 1,346 repositories were found by Gitguardian using the string “S1ngularity-Repository”.
Of the 2,349 different secrets, most of them occupy Github Oauth keys and personal access tokens (PATs), which then describe API keys and credentials for Google AI, Openai, Amazon Web Services, OpenRouter, Anthropic Claude, PostgresQL, and Datadog.
The cloud security company discovered that the payload could only run on Linux and MacOS systems, and systematically searched for sensitive files and extracted credentials, SSH keys, and .gitconfig files.
“In particular, the campaign has installed AI CLI tools on its weapons by stealing the content of files and urging them with dangerous flags (-dangerally-skip-cermissions, -yolo, -trust-all-tools) to exploit trustworthy tools for malicious reconnaissance,” the company says.
StepeCurity said the incident marked the first known case where attackers turned developer AI assistants such as Claude, Google Gemini and Amazon Q into tools for using and bypassing the traditional security perimeter supply chain.
“There are some differences between the malware in the Scoped NX package (IE @nx/devkit, @nx/eslint) and the malware in the NX package,” Socket said. “First, the AI prompts are different. With these packages, the AI prompts are a little more basic. This LLM prompt is much wider in scope, targeting cryptowaret keys and secret patterns, specific directories, but @NX’s one grabs interesting text files.”
Charlie Eriksen of Aikido says that using LLM clients as vectors for enumerating secrets on victim machines is a new approach, giving defenders insight into the directions that attackers are heading in the future.
“Given the popularity of the NX ecosystem and the novelty of AI tool abuse, this incident highlights the evolving refinement of supply chain attacks,” said Ashish Kurmi of Stepecurity. “Immediate repair is important for those who have installed a compromised version.”
Source link
