AI-Assisted Supply Chain Attack on Nx NPM Packages Exposes Thousands of Developer Credentials

Nx NPM packages poisoned in AI-assisted supply chain attack

Stolen dev credentials posted to GitHub as attackers abuse CLI tools for recon Nx is the latest target of a software supply chain attack in the NPM ecosystem, with multiple malicious versions being uploaded to the NPM registry on Tuesday evening. According to researchers at Wiz, those poisoned packages were laden with malware designed to siphon secrets from developers, such as GitHub and NPM tokens, SSH keys, and cryptocurrency wallet details. Nx's security advisory, posted to GitHub, which details the affected versions, states that successful credential harvesting then led to those credentials being posted to GitHub as new public-facing repos under the corresponding user accounts. With a self-proclaimed 24 million NPM downloads per month, a successful supply chain attack on Nx, an open source codebase management platform, could in theory capture the details of myriad developers. "Given the popularity of the Nx ecosystem, and the novelty of AI tool abuse, this incident highlights the evolving sophistication of supply chain attacks," said Ashish Kurmi, co-founder of StepSecurity, in a blog post. "Immediate remediation is critical for anyone who installed the compromised versions." Wiz said the repos containing the stolen secrets remained alive and freely available to download for around eight hours before GitHub intervened by identifying and disabling them all. As for how the attacker gained access to Nx's NPM account, Wiz said it currently believes that a token, which had publishing rights to the compromised packages, was compromised through unspecified means. However, it said all maintainers had two-factor authentication (2FA) enabled on their accounts at the time of the attack, although 2FA was not required to publish, and was being monitored by a provenance mechanism that verifies which publications were legitimate. Nx, which asserts that its platform is used by more than 70 percent of Fortune 500 companies, did not say how many users are thought to have been compromised. Wiz, on the other hand, told The Register via email that more than 1,000 valid GitHub tokens were leaked and around 20,000 files stolen and exposed, as well as dozens of valid cloud credentials and NPM tokens. According to the project maintainer's timeline, the malicious packages started being published to NPM at 2232 UTC on August 26, with subsequent publications continuing until just over two hours later. NPM was alerted at 0258 UTC and in less than an hour it had removed all the affected versions. Users thought to be affected by the attack are encouraged to contact Nx, whose support team can help confirm what data was compromised. "To our knowledge, this is one of the first documented cases of malware coercing AI‑assistant CLIs to assist in reconnaissance. "This technique forces the AI tools to recursively scan the file system and write discovered sensitive file paths to /tmp/inventory.txt, effectively using legitimate tools as accomplices in the attack." Charlie Eriksen, a malware researcher at Aikido, also said the Nx supply chain attack is the first time he had seen the technique in action, and that it may offer suggestions as to how attackers adjust their tradecraft for the future. The researcher also noted that beyond data-harvesting code, the malicious packages also added a shutdown command to victims' startup files, which would force their machines to shut down upon logging in. "The fact that the attacker decided to add the shutdown command into people's shell may have contributed to how quickly the issue was noticed, and limited the impact," he said. "It's very concerning they decided to publish all the stolen data publicly, as this puts more GitHub and NPM tokens into the hands of malicious threat actors, who will be able to conduct more attacks like this. "There's a real risk that this could just be the first wave of this attack, and there will be more to come. We will be monitoring the situation actively." ®

Wave of npm supply chain attacks exposes thousands of enterprise developer credentials

Attacks on the NX build system and React packages highlight escalating threats to enterprise software development pipelines. A sophisticated supply chain attack has compromised the widely-used Nx build system package and exposed thousands of enterprise developer credentials. The campaign weaponized artificial intelligence tools to enhance data theft operations across enterprise development environments, according to a new report from security firm Wiz. The attack began on August 26, 2025, when threat actors published multiple malicious versions of Nx packages to the npm registry. These compromised packages contained post-installation scripts designed to systematically harvest sensitive developer assets, the report said. The malware targeted cryptocurrency wallets, GitHub and npm tokens, SSH keys, and environment variables from infected enterprise systems. "The malware leveraged installed AI CLI tools by prompting them with dangerous flags to steal filesystem contents, exploiting trusted tools for malicious reconnaissance," Wiz researchers said in their report. "We have observed this AI-powered activity succeed in hundreds of cases, although AI provider guardrails at times intervened."

Malicious Nx Packages in 's1ngularity' Attack Leaked 2,349 GitHub, Cloud, and AI Credentials

The maintainers of the nx build system have alerted users to a supply chain attack that allowed attackers to publish malicious versions of the popular npm package and other auxiliary plugins with data-gathering capabilities. "Malicious versions of the nx package, as well as some supporting plugin packages, were published to npm, containing code that scans the file system, collects credentials, and posts them to GitHub as a repo under the user's accounts," the maintainers said in an advisory published Wednesday. Nx is an open-source, technology-agnostic build platform that's designed to manage codebases. It's advertised as an "AI-first build platform that connects everything from your editor to CI [continuous integration]." The npm package has over 3.5 million weekly downloads. The list of affected packages and versions is below. These versions have since been removed from the npm registry. The compromise of the nx package took place on August 26, 2025. * nx 21.5.0, 20.9.0, 20.10.0, 21.6.0, 20.11.0, 21.7.0, 21.8.0, 20.12.0 * @nx/devkit 21.5.0, 20.9.0 * @nx/enterprise-cloud 3.2.0 * @nx/eslint 21.5.0 * @nx/js 21.5.0, 20.9.0 * @nx/key 3.2.0 * @nx/node 21.5.0, 20.9.0 * @nx/workspace 21.5.0, 20.9.0 The project maintainers said the root cause of the issue stemmed from a vulnerable workflow that introduced the ability to inject executable code using a specially crafted title in a pull request (PR). "The pull_request_target trigger was used as a way to trigger the action to run whenever a PR was created or modified," the nx team said. "However, what was missed is the warning that this trigger, unlike the standard pull_request trigger, runs workflows with elevated permissions, including a GITHUB_TOKEN which has read/write repository permission." It's believed the GITHUB_TOKEN was utilized to trigger the "publish.yml" workflow, which is responsible for publishing the Nx packages to the registry using an npm token. But with the PR validation workflow running with elevated privileges, the "publish.yml workflow" is triggered to run on the "nrwl/nx" repository while also introducing malicious changes that made it possible to exfiltrate the npm token to an attacker-controlled webhook[.]site endpoint. "As part of the bash injection, the PR validation workflows triggered a run of the publish.yml with this malicious commit and sent our npm token to an unfamiliar webhook," the nx team explained. "We believe this is how the user got a hold of the npm token used to publish the malicious versions of nx." In other words, the injection flaw enabled arbitrary command execution if a malicious PR title was submitted, while the pull_request_target trigger granted elevated permissions by providing a GITHUB_TOKEN with read/write access to the repository. The rogue versions of the packages have been found to contain a postinstall script that's activated after package installation to scan a system for text files, collect credentials, and send the details as a Base64-encoded string to a publicly accessible GitHub repository containing the name "s1ngularity-repository" (or "s1ngularity-repository-0" and "s1ngularity-repository-1") under the user's account. "The malicious postinstall script also modified the .zshrc and .bashrc files which are run whenever a terminal is launched to include sudo shutdown -h 0 which prompt users for their system password and if provided, would shut down the machine immediately," the maintainers added. While GitHub has since started to archive these repositories, users who encounter the repositories are advised to assume compromise and rotate GitHub and npm credentials and tokens. Users are also recommended to stop using the malicious packages and check .zshrc and .bashrc files for any unfamiliar instructions and remove them. The nx team said they have also undertaken remedial actions by rotating their npm and GitHub tokens, auditing GitHub and npm activities across the organization for suspicious activities, and updating Publish access for nx to require two-factor authentication (2FA) or automation. Wiz researchers Merav Bar and Rami McCarthy said 90% of over 1,000 leaked GitHub tokens are still valid, as well as dozens of valid cloud credentials and npm tokens. It's said the malware was run on developer machines, often via the nx Visual Studio Code extension. As many as 1,346 repositories with the string "s1ngularity-repository" have been detected by GitGuardian. Among the 2,349 distinct secrets leaked, the vast majority of them account for GitHub OAuth keys and personal access tokens (PATs), followed by API keys and credentials for Google AI, OpenAI, Amazon Web Services, OpenRouter, Anthropic Claude, PostgreSQL, and Datadog. The cloud security firm found that the payload is capable of running only on Linux and macOS systems, systematically searching for sensitive files and extracting credentials, SSH keys, and .gitconfig files. "Notably, the campaign weaponized installed AI CLI tools by prompting them with dangerous flags (--dangerously-skip-permissions, --yolo, --trust-all-tools) to steal file system contents, exploiting trusted tools for malicious reconnaissance," the company said. StepSecurity said the incident marks the first known case where attackers have turned developer AI assistants like Claude, Google Gemini, and Amazon Q into tools for supply chain exploitation and bypass traditional security boundaries. "There are a few differences between the malware in the scoped nx packages (i.e. @nx/devkit, @nx/eslint) versus the malware in the nx package," Socket said. "First, the AI prompt is different. In these packages, the AI prompt is a bit more basic. This LLM prompt is also much less broad in scope, targeting crypto-wallet keys and secret patterns as well as specific directories, whereas the ones in @nx grabs any interesting text file." Charlie Eriksen of Aikido said the use of LLM clients as a vector for enumerating secrets on the victim machine is a novel approach, and gives defenders insight into the direction the attackers may be heading in the future. "Given the popularity of the Nx ecosystem, and the novelty of AI tool abuse, this incident highlights the evolving sophistication of supply chain attacks," StepSecurity's Ashish Kurmi said. "Immediate remediation is critical for anyone who installed the compromised versions."

NPM packages from Nx targeted in latest worrying software supply chain attack

The attack lasted a few hours, but could be causing damage still Countless software developers, likely including those within Fortune 500 companies, were victims of a supply chain attack after Nx, the open source build system and development toolkit, was compromised. In an announcement posted on GitHub, Nx said, "malicious versions of Nx and some supporting plugins were published" on NPM. At the same time, security researchers Wiz released a separate announcement, saying the malicious versions were carrying infostealing malware, grabbing secrets such as GitHub and NPM tokens, SSH keys, crypto wallet information, and more, from attacked developers. How Nx was compromised remains unknown - Wiz believes the threat actors managed to get ahold of a token with publishing rights, which enabled them to push malicious versions to NPM, despite all maintainers having two-factor authentication (2FA) enabled at the time of the attack. Apparently, 2FA was not needed to publish the packages. The attack lasted approximately four hours, before NPM removed all of the poisoned versions. Nx did not discuss how many companies might have been struck in this supply chain attack, but Wiz told The Register via email that more than 1,000 valid GitHub tokens were leaked. Furthermore, the attackers stole around 20,000 files and "dozens" of valid cloud credentials and NPM tokens. Affected users should reach out to Nx's support team for help. Both NPM and Nx are hugely popular in the software development community, with more than 70% of Fortune 500 companies are allegedly using it, so it's perhaps not surprising it is under constant attack. However, security researchers Step Security found something unique: the malware "weaponized AI CLI tools (including Claude, Gemini, and q) to aid in reconnaissance and data exfiltration - marking the first known case where attackers have turned developer AI assistants into tools for supply chain exploitation." "This technique forces the AI tools to recursively scan the file system and write discovered sensitive file paths to /tmp/inventory.txt, effectively using legitimate tools as accomplices in the attack."