The Node Package Manager (npm) ecosystem has suffered from two major supply chain attacks in recent months, affecting hundreds of packages and exposing developers to credential theft and data exfiltration. The attack vector of these incidents shows an AI-enabled evolution of how open-source software dependencies can be compromised.
On 26 August 2025, multiple malicious versions of the widely used Nx build system package were published to the npm registry, in an attack dubbed “s1ngularity.” In an article by researchers Merav Bar and Rami McCarthy, cybersecurity company Wiz explained how these versions contained a malware script intended to collect sensitive developer assets, including cryptocurrency wallets, GitHub and npm tokens, and SSH keys. The affected packages included @nrwl/nx, @nx/devkit, and several other related packages.
The attackers embedded the malware in a file named telemetry.js, which systematically searched for sensitive files, including wallets, keystores, .env files, and SSH keys, on MacOS and Linux systems where those packages had been downloaded. The campaign weaponised installed AI command-line tools by running them with dangerous flags such as --dangerously-skip-permissions, --yolo, and --trust-all-tools to steal filesystem contents. Bar and McCarthy observed that “this AI-powered activity succeeded in hundreds of cases, although AI provider guardrails at times interceded.”
The stolen data was encoded and uploaded to attacker-controlled GitHub repositories. The researchers observed over a thousand valid GitHub tokens, many sets of valid cloud credentials and NPM tokens, and about twenty thousand other files. The attack had two phases. The first phase involved the initial credential theft and repository creation. On 27 August 2025 at 9am UTC, GitHub disabled all attacker-created repositories, but the eight-hour exposure window had already allowed the hackers to download the data. The second phase began on 28 August, when attackers used the compromised GitHub tokens they had collected to make private repositories public, and renaming them to match the pattern s1ngularity-repository-#5letters#. This affected over 400 users and organisations, and over 5,500 repositories.
On LinkedIn, McCarthy offered a further comment:
We saw over 5,500 private repositories flipped to public using leaked credentials… yet many orgs still haven’t revoked their GitHub tokens. Kinda crazy pull_request_target is still being used without proper care.
On Reddit, user cybersec_nerd42 observed:
What freaks me out about s1ngularity isn’t just the credential theft, it’s the use of AI CLI tools like Claude and Gemini to automate recon. That’s a turning point—attackers don’t need real LLM jailbreaking anymore, they just chain APIs.
A separate but related attack targeted npm packages published by CrowdStrike and others. Socket.dev researchers identified this as a continuation of the ongoing ‘Shai-Hulud’ attack, which had previously compromised tinycolor and forty other packages. They explained how this malware includes a script that downloads and runs TruffleHog (a legitimate secret scanner) and looks for tokens and cloud credentials.
Unit 42 from Palo Alto Networks also published a post about the Shai-Hulud attack. They explained how they are moderately confident that the attackers used AI to generate the malicious script, given the use of comments and emojis in it. ‘s1ngularity’ attack also showed signs of AI generation, suggesting that LLMs are being used more widely to hack the supply chain.
Socket.dev went on to explain that Shai-Hulud represents sophisticated worm behaviour, as it continues the propagation chain by automatically modifying and republishing packages, and adding a postinstall script to ensure the worm is run automatically when users install the compromised packages. The attack ultimately compromised 526 packages, including many CrowdStrike packages such as @crowdstrike/commitlint, @crowdstrike/falcon-shoelace, and @crowdstrike/foundry-js. The malware exfiltrated data to a hardcoded webhook endpoint and created GitHub Actions workflows to help it spread beyond the initially compromised host.
A comment on Bleeping Computer pointed to a broader concern:
Using AI to weaponise build tools is the new phishing. The weakest link isn’t people anymore—it’s CI pipelines that nobody audits.
But Step Security’s post provided a constructive counterpoint:
The Shai-Hulud variant wasn’t some grand AI plot—it exploited plain old credential sprawl. If you run CI runners with repo writers and npm publish permissions, admit it—you’re the attack surface.
Both attacks demonstrate how compromised credentials can cascade through the development ecosystem, with stolen tokens enabling further package compromises and repository access, with Unit 42’s post positing that “these attacks are propagating at the speed of Continuous Integration and Continuous Delivery (CI/CD), which poses long-lasting and increasing security challenges for the entire ecosystem.”
