Full Report
Investigations into the Nx "s1ngularity" NPM supply chain attack have unveiled a massive fallout, with thousands of account tokens and repository secrets leaked. [...]
Analysis Summary
# Incident Report: Nx "s1ngularity" GitHub Account Compromise
## Executive Summary
A sophisticated, multi-phase supply chain attack dubbed "s1ngularity" leveraged an exploited vulnerability in the Nx GitHub Actions workflow to inject malicious packages into the popular NPM ecosystem. This resulted in the compromise of 2,180 GitHub accounts and the theft of secrets via AI-powered malware, leading to the public exposure of 6,700 private repositories. Response actions included timely removal of malicious packages and extensive token rotation, although the full impact continues to unfold.
## Incident Details
- Discovery Date: August 26, 2025 (Initial package release marked discovery of compromise vector)
- Incident Date: Began August 26, 2025
- Affected Organization: Nx (NPM package ecosystem)
- Sector: Software Development / Open Source Tools
- Geography: Global (Targeting users of the Nx NPM package)
## Timeline of Events
### Initial Access
- **Date/Time:** August 26, 2025
- **Vector:** Exploitation of a flawed GitHub Actions workflow within the Nx repository.
- **Details:** Attackers exploited a pull request title injection combined with insecure use of `pull_request_target` to run arbitrary code with elevated permissions, triggering the Nx publish pipeline and stealing the NPM publishing token. A malicious package containing `telemetry.js` malware was published to NPM.
### Lateral Movement
- **Phase 1 (Aug 26-27):** The `telemetry.js` malware executed post-installation on infected Linux/macOS systems, stealing secrets and uploading them to attacker-controlled public GitHub repositories named "s1ngularity-repository."
- **Phase 2 (Aug 28-29):** Using the leaked GitHub tokens, attackers accessed compromised accounts and flipped private repositories to public, renaming them with the 's1ngularity' string.
- **Phase 3 (Aug 31+):** Attackers targeted a single victim organization, escalating compromise further using two compromised accounts to publish 500 additional private repositories.
### Data Exfiltration/Impact
- **Data Exfiltration:** The primary impact was the theft of GitHub tokens, npm tokens, SSH keys, .env files, and crypto wallets from 2,180 accounts.
- **Impact Scope:** Exposure of 7,200 repositories (including 6,700 private repositories made public). Approximately 20,000 files were exposed from infected systems in the first phase alone.
### Detection & Response
- **Detection:** Researchers at Wiz observed and documented the three distinct attack phases following the initial malicious NPM publication. GitHub eventually took down attacker-controlled repos after eight hours, but data was copied.
- **Response actions taken:** Malicious packages were removed. Compromised tokens were revoked and rotated. 2FA was adopted across all publisher accounts.
## Attack Methodology
- **Initial Access:** Supply chain compromise via vulnerable GitHub Actions workflow (`pull_request_target` exploitation).
- **Persistence:** Not explicitly detailed for long-term persistence on target systems, but the primary mechanism was the initial installation of the malicious package.
- **Privilege Escalation:** Not explicitly detailed, but the initial exploit allowed arbitrary code execution with elevated permissions during the publish pipeline trigger.
- **Defense Evasion:** Use of an AI-powered credential stealer designed to harvest secrets.
- **Credential Access:** Malware (`telemetry.js`) actively sought GitHub tokens, npm tokens, SSH keys, and .env files.
- **Discovery:** The malware utilized installed command-line tools for AI platforms (Claude, Q, Gemini) and leveraged LLM prompts to dynamically search for and harvest sensitive credentials and secrets.
- **Lateral Movement:** Used stolen GitHub tokens to compromise additional accounts and mark associated repositories as public.
- **Collection:** Targeted credentials and configuration files (.env).
- **Exfiltration:** Uploaded stolen secrets to public GitHub repositories controlled by the attacker (e.g., "s1ngularity-repository").
- **Impact:** Public exposure of source code and internal configuration secrets.
## Impact Assessment
- **Financial:** Not quantifiable based on provided data, but implied significant remediation costs.
- **Data Breach:** Exposure of account tokens (GitHub, npm), SSH keys, configuration secrets (.env), and wallet information across 2,180 accounts.
- **Operational:** Disruption to development environments as users were infected. Compromise of organizational data due to public repository flips.
- **Reputational:** Significant damage to the trust in the Nx open-source build system and the underlying software supply chain security.
## Indicators of Compromise
- **Network indicators (Defanged):** Attacker-controlled GitHub repositories named starting with "s1ngularity-repository" used for exfiltration.
- **File indicators:** `telemetry.js` malware script within the installed Nx package.
- **Behavioral indicators:** Use of installed LLM CLIs (Claude, Q, Gemini) executing prompts specifically designed to search for code secrets ("penetration testing," etc.).
## Response Actions
- **Containment measures:** Removal of malicious Nx packages from NPM.
- **Eradication steps:** Revocation and rotation of all compromised npm and GitHub tokens.
- **Recovery actions:** Adoption of 2FA for all publisher accounts. Migration to NPM's Trusted Publisher model for tokenless publishing. Addition of manual approval gates for PR-triggered workflows.
## Lessons Learned
- Insecure coding practices within CI/CD actions (specifically `pull_request_target`) can lead directly to supply chain compromise and token theft.
- The use of LLM tooling by malware writers represents a novel and highly adaptive technique for targeted credential harvesting.
- Attackers rapidly iterate and tune their malicious prompts faster than defenders can track changes.
- Repository metadata modification (flipping private repos to public) serves as a secondary impact vector post-initial infection.
## Recommendations
- Immediately audit all GitHub Actions workflows, strictly limiting the permissions granted by `pull_request_target` and ensuring secrets/tokens are not exposed or reachable via PR title injection vulnerabilities.
- Implement a robust token rotation schedule across all development and CI/CD systems.
- Adopt tokenless publishing models (like NPM Trusted Publishers) where available to reduce the risk associated with leaked tokens.
- Enhance endpoint detection capabilities to monitor for execution of LLM command-line tools attempting to parse sensitive files or URLs related to secret harvesting.