The maintainers of the nx build system disclosed a high-profile supply-chain incident in which malicious versions of the nx npm package and several auxiliary plugins were published with data-gathering capabilities. The attackers reportedly scanned the file system, collected credentials, and posted them to a GitHub repository controlled by the intruders. The advisory detailing the breach is available from GitHub.
The compromised npm package family and related plugins affected multiple versions, many of which have since been removed from the registry. The nx project confirmed the compromise occurred on August 26, 2025, and listed affected versions as: nx 21.5.0, 20.9.0, 20.10.0, 21.6.0, 20.11.0, 21.7.0, 21.8.0, 20.12.0, along with corresponding @nx packages such as @nx/devkit (21.5.0, 20.9.0), @nx/enterprise-cloud (3.2.0), @nx/eslint (21.5.0), @nx/js (21.5.0, 20.9.0), @nx/key (3.2.0), @nx/node (21.5.0, 20.9.0) and @nx/workspace (21.5.0, 20.9.0). The advisory and the full list of affected packages are linked above and elsewhere in security disclosures.
Security teams traced the root cause to a vulnerable workflow added on August 21, 2025, which allowed injective code via a specially crafted pull request (PR) title. While the workflow was reverted in the master branch almost immediately after discovery, attackers apparently targeted an outdated branch that still contained the vulnerable workflow. The nx team described this as a novel abuse of the pull_request_target trigger, which runs with elevated permissions, including a GITHUB_TOKEN with read/write access, enabling the malicious action to publish to the registry via the publish.yml workflow.
According to the nx team, the combination of the PR trigger with elevated permissions allowed attackers to exfiltrate the npm token during a malicious run, as part of a bash injection that accompanied the fraudulent changes. Users are urged to rotate npm and GitHub credentials and tokens and to audit for unfamiliar changes to shell startup files. The nx advisory notes that the malicious postinstall script activated after installation would search for sensitive files, exfiltrate credentials as a Base64 string to a repository named s1ngularity-repository (including aliases s1ngularity-repository-0 and s1ngularity-repository-1), and modify .zshrc and .bashrc to run commands that could prompt for a password and shut down the machine in some cases.
The nx team also said the organization rotated its npm and GitHub tokens and conducted broad audits across its environments for suspicious activity. It updated access controls for publishing nx to require two-factor authentication (2FA) or automation. Security researchers who tracked the incident noted the broader risk: attackers leveraged developer AI tools and automated workflows to breach software supply chains.
Security firm Wiz reported that roughly 90 percent of more than 1,000 leaked GitHub tokens remained valid, and that dozens of cloud credentials and npm tokens were compromised. The investigation found the malicious payload ran on Linux and macOS devices and would exfiltrate credentials and SSH keys, with some data sent to a publicly accessible GitHub repository tied to the s1ngularity operation. Wiz described the campaign as weaponizing AI command-line tools with dangerous flags to enable reconnaissance and data theft.
GitGuardian’s analysis noted more than 1,346 repositories containing the string “s1ngularity-repository” and identified 2,349 distinct secrets leaked, including GitHub OAuth keys, personal access tokens, and credentials for Google AI, OpenAI, AWS, OpenRouter, Anthropic Claude, PostgreSQL and Datadog, among others. The Wiz and GitGuardian findings underscore the evolving sophistication of supply-chain attacks and the need for rapid remediation across developer tooling and CI pipelines. See GitGuardian coverage for more.
Industry researchers also highlighted the broader implications of using AI-assisted development tools as footholds for data exfiltration. Wiz researchers Merav Bar and Rami McCarthy highlighted the targeting of developer machines and the exploitation of AI CLI tools, while industry voices such as Socket, Aikido, and StepSecurity described the attack as a landmark in AI-assisted supply-chain exploitation. The analysis cautions that such methods may become more common as attackers seek to bypass traditional defenses.