The maintainers of the nx build system have alerted users to a supply chain attack that allowed attackers to publish malicious versions of the popular npm package and other auxiliary plugins with data-gathering capabilities.
“Malicious versions of the nx package, as well as some supporting plugin packages, were published to npm, containing code that scans the file system, collects credentials, and posts them to GitHub as a repo under the user’s accounts,” the maintainers said in an advisory published Wednesday.
Nx is an open-source, technology-agnostic build platform that’s designed to manage codebases. It’s advertised as an “AI-first build platform that connects everything from your editor to CI [continuous integration].” The npm package has over 3.5 million weekly downloads.
The list of affected packages and versions is below. These versions have since been removed from the npm registry. The compromise of the nx package took place on August 26, 2025.
- nx 21.5.0, 20.9.0, 20.10.0, 21.6.0, 20.11.0, 21.7.0, 21.8.0, 20.12.0
- @nx/devkit 21.5.0, 20.9.0
- @nx/enterprise-cloud 3.2.0
- @nx/eslint 21.5.0
- @nx/js 21.5.0, 20.9.0
- @nx/key 3.2.0
- @nx/node 21.5.0, 20.9.0
- @nx/workspace 21.5.0, 20.9.0
The project maintainers said the root cause of the issue stemmed from a vulnerable workflow that introduced the ability to inject executable code using a specially crafted title in a pull request (PR).
“The pull_request_target trigger was used as a way to trigger the action to run whenever a PR was created or modified,” the nx team said. “However, what was missed is the warning that this trigger, unlike the standard pull_request trigger, runs workflows with elevated permissions, including a GITHUB_TOKEN which has read/write repository permission.”
It’s believed the GITHUB_TOKEN was utilized to trigger the “publish.yml” workflow, which is responsible for publishing the Nx packages to the registry using an npm token.
But with the PR validation workflow running with elevated privileges, the “publish.yml workflow” is triggered to run on the “nrwl/nx” repository while also introducing malicious changes that made it possible to exfiltrate the npm token to an attacker-controlled webhook[.]site endpoint.
“As part of the bash injection, the PR validation workflows triggered a run of the publish.yml with this malicious commit and sent our npm token to an unfamiliar webhook,” the nx team explained. “We believe this is how the user got a hold of the npm token used to publish the malicious versions of nx.”
In other words, the injection flaw enabled arbitrary command execution if a malicious PR title was submitted, while the pull_request_target trigger granted elevated permissions by providing a GITHUB_TOKEN with read/write access to the repository.
The rogue versions of the packages have been found to contain a postinstall script that’s activated after package installation to scan a system for text files, collect credentials, and send the details as a Base64-encoded string to a publicly accessible GitHub repository containing the name “s1ngularity-repository” (or “s1ngularity-repository-0” and “s1ngularity-repository-1”) under the user’s account.
“The malicious postinstall script also modified the .zshrc and .bashrc files which are run whenever a terminal is launched to include sudo shutdown -h 0 which prompt users for their system password and if provided, would shut down the machine immediately,” the maintainers added.
While GitHub has since started to archive these repositories, users who encounter the repositories are advised to assume compromise and rotate GitHub and npm credentials and tokens. Users are also recommended to stop using the malicious packages and check .zshrc and .bashrc files for any unfamiliar instructions and remove them.
The nx team said they have also undertaken remedial actions by rotating their npm and GitHub tokens, auditing GitHub and npm activities across the organization for suspicious activities, and updating Publish access for nx to require two-factor authentication (2FA) or automation.
Wiz researchers Merav Bar and Rami McCarthy said 90% of over 1,000 leaked GitHub tokens are still valid, as well as dozens of valid cloud credentials and npm tokens. It’s said the malware was run on developer machines, often via the nx Visual Studio Code extension. As many as 1,346 repositories with the string “s1ngularity-repository” have been detected by GitGuardian.
Among the 2,349 distinct secrets leaked, the vast majority of them account for GitHub OAuth keys and personal access tokens (PATs), followed by API keys and credentials for Google AI, OpenAI, Amazon Web Services, OpenRouter, Anthropic Claude, PostgreSQL, and Datadog.
The cloud security firm found that the payload is capable of running only on Linux and macOS systems, systematically searching for sensitive files and extracting credentials, SSH keys, and .gitconfig files.
“Notably, the campaign weaponized installed AI CLI tools by prompting them with dangerous flags (–dangerously-skip-permissions, –yolo, –trust-all-tools) to steal file system contents, exploiting trusted tools for malicious reconnaissance,” the company said.
StepSecurity said the incident marks the first known case where attackers have turned developer AI assistants like Claude, Google Gemini, and Amazon Q into tools for supply chain exploitation and bypass traditional security boundaries.
“There are a few differences between the malware in the scoped nx packages (i.e. @nx/devkit, @nx/eslint) versus the malware in the nx package,” Socket said. “First, the AI prompt is different. In these packages, the AI prompt is a bit more basic. This LLM prompt is also much less broad in scope, targeting crypto-wallet keys and secret patterns as well as specific directories, whereas the ones in @nx grabs any interesting text file.”
Charlie Eriksen of Aikido said the use of LLM clients as a vector for enumerating secrets on the victim machine is a novel approach, and gives defenders insight into the direction the attackers may be heading in the future.
“Given the popularity of the Nx ecosystem, and the novelty of AI tool abuse, this incident highlights the evolving sophistication of supply chain attacks,” StepSecurity’s Ashish Kurmi said. “Immediate remediation is critical for anyone who installed the compromised versions.”
