Supply chain attack uses AI Tools to compromise NX developer package

A supply chain attack targeting the NX build system package has exposed thousands of developer credentials and marked the first documented case of malware weaponizing AI command-line tools for reconnaissance and data theft. 

The attack began on August 26, 2025, when threat actors published multiple malicious versions of NX packages to the npm registry, with the compromised packages remaining live for approximately 5 hours and 20 minutes before being removed.

The incident was caused by a vulnerable GitHub Actions workflow that was added to the NX repository on August 21, 2025, which introduced the ability to inject executable code using pull request titles combined with the pull_request_target trigger that granted elevated permissions. 

An attacker exploited this workflow injection vulnerability to extract an npm publish token with rights to the affected packages, then used it to publish malicious versions directly to the npm registry without altering the source repository. The compromised packages included eight malicious versions across the nx package and several scoped modules (@nrwl/nx, @nx/devkit, @nx/enterprise-cloud, @nx/eslint, @nx/js, @nx/key, @nx/node, @nx/workspace), versions 20.9.0 through 21.8.0. The malware also affected the NX Console VS Code extension through its auto-update feature.

Once installed via npm's post-install script feature, the malware systematically searched for sensitive files and extracted credentials, then encoded the stolen data multiple times in base64 and uploaded it to public GitHub repositories in victim accounts with names following the pattern "s1ngularity-repository," "s1ngularity-repository-0," or "s1ngularity-repository-1," each containing a results.b64 file with the exfiltrated data

The malware used installed AI CLI tools including Claude, Gemini, and Q by prompting them with dangerous flags such as "--dangerously-skip-permissions," "--yolo," and "--trust-all-tools" to extract filesystem contents and aid in reconnaissance efforts. 

Exposed data includes:

• GitHub tokens and npm tokens
• SSH keys and .env secrets
• Cryptocurrency wallet files and keystores
• Environment variables and .gitconfig files
• Cloud credentials 

Wiz researchers documented over 1,000 valid GitHub tokens, dozens of valid cloud credentials and npm tokens, and approximately 20,000 files leaked across thousands of publicly accessible repositories 

Attack sequence

1. Initial Compromise - Attackers discovered a GitHub Actions workflow injection vulnerability added August 21, 2025. Created malicious pull request with crafted title to exploit the vulnerability and extract npm publishing tokens
2. Package Poisoning - Used stolen npm token to publish 8 malicious NX package versions (20.9.0-20.12.0, 21.5.0-21.8.0) to the official npm registry
3. Payload Execution - malicious telemetry.js activated via npm post-install script when developers installed compromised packages. Script weaponized local AI CLI tools (Claude, Gemini, Q) using dangerous flags like --dangerously-skip-permissions and --trust-all-tools
4. Data Theft & Exfiltration - AI tools scanned filesystem for sensitive files (SSH keys, GitHub/npm tokens, crypto wallets, .env files). Stolen data was triple-base64 encoded and uploaded to public GitHub repositories named "s1ngularity-repository-*" created under victims' own accounts
5. System Disruption - Added shutdown commands to ~/.bashrc and ~/.zshrc causing terminal sessions to crash. This disruption actually helped with detection as developers investigated the crashes
6. Secondary Wave - Attackers used stolen GitHub tokens to make victims' private repositories public. Expanded impact to 400+ users and 5,500+ repositories

The initial attack affected approximately 1,400 developers based on the number of malicious repositories created. A second wave of attacks on August 28, 2025, expanded the impact to over 400 users and organizations with over 5,500 repositories affected, as attackers used the stolen GitHub tokens to make previously private repositories public.

Npm enforced new security controls across all NX packages, making two-factor authentication mandatory for all maintainers, disabling npm token-based publishing, and migrating all packages to the Trusted Publisher mechanism.