Supply Chain Attack Hits Nx NPM Package with 4.6M Weekly Downloads

A sophisticated supply chain attack has compromised the Nx NPM package, an AI-driven monorepo build system downloaded over 4.6 million times weekly, leaking sensitive developer secrets to publicly accessible GitHub repositories.

The breach occurred through a malicious update that weaponized AI CLI tools and post-install scripts to harvest credentials and exfiltrate data.

The incident was disclosed by Wiz researchers, who explained that malicious versions of the Nx package and several of its scoped modules were published to the npm registry on August 26, 2025. These versions introduced a Linux/macOS-targeted malware payload in a telemetry.js file, activated via npm's post-install script feature. Once triggered, the malware searched for sensitive assets such as cryptocurrency wallets, .env files, SSH keys, GitHub auth tokens, and npm tokens.

Nx is developed by Nrwl and marketed as a smart build platform for managing monorepos across frontend and backend frameworks like Angular, React, and Node.js. It is integrated into millions of developer workflows via the VSCode extension, create-nx-workspace, and CI/CD tools, making the scope of this attack particularly far-reaching.

The malware exfiltrated data by exploiting installed AI CLI tools, including Anthropic's Claude, Google Gemini, and Q, using unguarded flags like –dangerously-skip-permissions and –trust-all-tools. These tools were abused to extract filesystem data, which was then encoded multiple times in base64 and uploaded to attacker-controlled GitHub repositories created within the victim's own account. Repository names followed a consistent pattern: s1ngularity-repository, s1ngularity-repository-0, and s1ngularity-repository-1.

GitHub intervened at 9:00 UTC on August 27 by disabling known malicious repositories. However, the eight-hour window prior to takedown may have been sufficient for attackers, and possibly others, to clone the exposed data. Wiz reports the existence of thousands of such repositories, with over 1,000 valid GitHub tokens, dozens of cloud and npm credentials, and approximately 20,000 files leaked. Notably, in some cases, the malware is executed in CI pipelines like GitHub Actions, not just on developer endpoints.

Compromised Nx versions include:

• nx: 20.9.0 through 20.12.0 and 21.5.0 through 21.8.0
• @nx/devkit: 20.9.0, 21.5.0
• @nx/enterprise-cloud: 3.2.0
• @nx/eslint, @nx/js, @nx/key, @nx/node, @nx/workspace: 20.9.0 and 21.5.0 in various combinations

Artifacts linked to the attack include:

• Shell profile modifications (~/.bashrc, ~/.zshrc) with sudo shutdown -h 0 commands to disable terminal access
• Temporary files (/tmp/inventory.txt, .bak) listing sensitive paths
• API calls to GitHub's repository endpoints and files named results.b64 containing exfiltrated, encoded data

According to Step Security, which corroborated the malware's behavior, the shutdown commands aimed to lock out users from debugging the infection. Meanwhile, Wiz confirmed the abuse of AI tools for reconnaissance and noted mixed effectiveness of guardrails.

Recommended actions

To mitigate the impact, affected users should remove malicious Nx versions (rm -rf node_modules && npm cache clean –force) and reinstall clean releases from npm. Manual cleanup of ~/.bashrc, ~/.zshrc, and temporary files under /tmp is also necessary.

Organizations should audit their GitHub accounts for any singularity-named repositories, review audit logs for suspicious API activity, and monitor both developer machines and CI environments for unusual behavior or artifacts.

All potentially exposed credentials, including GitHub and npm tokens, SSH keys, cloud secrets, and environment variables, must be revoked and regenerated. If cryptocurrency wallets were compromised, funds should be transferred immediately.

Wiz has also released YARA rules and a list of indicators of compromise to help users identify signs of compromise.