Full Report
Detect and mitigate a critical supply chain compromise affecting the Nx NPM Package. Organizations should act urgently.
Analysis Summary
# Incident Report: Nx NPM Supply Chain Compromise Leading to Developer Credential Theft
## Executive Summary
A critical supply chain attack targeted the widely used Nx build system npm package, leading to the injection of malicious versions containing a post-installation script designed to steal sensitive developer assets. The malware successfully harvested tokens, keys, and wallet information by leveraging AI command-line tools for reconnaissance before exfiltrating the data to attacker-controlled GitHub repositories. Response actions included GitHub disabling the malicious repositories and immediate remediation guidance provided to affected organizations.
## Incident Details
- **Discovery Date:** August 27, 2025
- **Incident Date:** August 26, 2025 (when malicious versions were published)
- **Affected Organization:** Users of the Nx npm package (specifically versions `20.9.0` through `20.12.0` and `21.5.0` through `21.8.0`)
- **Sector:** Software Development / Technology (Supply Chain)
- **Geography:** Global (affecting systems running on Linux and macOS)
## Timeline of Events
### Initial Access
- **Date/Time:** On or immediately after August 26, 2025
- **Vector:** Compromise and publication of malicious versions of the Nx npm package (`@nrwl/nx` or `nx`) to the npm registry.
- **Details:** The malicious code was embedded in a `telemetry.js` file triggered by a post-installation script, focusing execution on Linux and macOS systems. The exposure window was approximately 8 hours before mitigation began.
### Lateral Movement
- **Details:** The malware performed local reconnaissance on the compromised developer machine, systematically searching for sensitive files (wallets, keystores, .env files, SSH keys) and credential files (`gh auth token`, `npmrc` content). It utilized installed AI CLI tools (Claude, Gemini, Q) for reconnaissance, often using dangerous flags to bypass security prompts.
### Data Exfiltration/Impact
- **Details:** Stolen data was double and triple base64-encoded and exfiltrated via API calls to `api.github.com`. The data was uploaded to newly created, publicly accessible GitHub repositories within the victim's own GitHub accounts, named systematically (e.g., `s1ngularity-repository`, `s1ngularity-repository-0`).
### Detection & Response
- **Detection:** The attack was identified and reported by security researchers (Wiz and Step Security).
- **Response:** On August 27, 2025, at 9 AM UTC, GitHub disabled all attacker-created repositories to halt further exposure. Organizations were urged to immediately remove malicious packages and review shell configuration files.
## Attack Methodology
- **Initial Access:** Supply chain compromise via malicious npm package publication.
- **Persistence:** The malware attempted to ensure persistence/disruption by appending `sudo shutdown -h 0` to `~/.bashrc` and `~/.zshrc` to cause system shutdowns on new terminal sessions.
- **Privilege Escalation:** Not explicitly detailed, but necessary access was gained through the post-installation script execution context.
- **Defense Evasion:** The use of multiple layers of base64 encoding helped obscure the exfiltrated data.
- **Credential Access:** Targeted collection of GitHub tokens, NPM tokens, and SSH keys.
- **Discovery:** Systematic file system searching for sensitive files and use of AI CLI tools to aid reconnaissance (exploiting tool trust).
- **Lateral Movement:** Primarily local execution on the developer workstation; no external lateral movement described against infrastructure.
- **Collection:** Gathering of cryptocurrency wallets, various tokens, and environment files.
- **Exfiltration:** Uploading collected, encoded data to newly created GitHub repositories within the target's own account namespace.
- **Impact:** Theft of developer secrets and credentials.
## Impact Assessment
- **Financial:** Not quantified, but associated with cleanup costs and potential fraud from stolen cloud credentials.
- **Data Breach:** Over a thousand valid GitHub tokens, dozens of valid cloud credentials, NPM tokens, and roughly twenty thousand files leaked. The data is considered effectively public due to easy base64 decoding.
- **Operational:** Potential disruption of developer environments due to system shutdown attempts (`sudo shutdown -h 0`) and potential pipeline interruptions if build systems were compromised.
- **Reputational:** Damage associated with the public exposure of sensitive developer secrets via a high-profile supply chain attack.
## Indicators of Compromise
- **Network indicators:** Outbound API calls to `api.github[.]com` targeting path segments `/user/repos` and `/repos/*/contents/results[.]b64`.
- **File indicators:** Presence of `/tmp/inventory[.]txt` and `/tmp/inventory[.]txt[.]bak`.
- **Behavioral indicators:** Modification of `~/.bashrc` and `~/.zshrc` containing `sudo shutdown -h 0`. Creation of public GitHub repositories named `s1ngularity-repository`, `s1ngularity-repository-0`, or `s1ngularity-repository-1` under victim accounts.
## Response Actions
- **Containment measures:** GitHub disabled all attacker-created repositories. Developers were instructed to immediately remove malicious Nx versions by running `rm -rf node_modules && npm cache clean --force`.
- **Eradication steps:** Manually reviewing and removing malicious shell entries (`sudo shutdown -h 0`) from `~/.bashrc` and `~/.zshrc` and deleting temporary inventory files.
- **Recovery actions:** Upgrading the Nx package to a clean, non-malicious release sourced from NPM (as malicious versions were removed by the maintainers).
## Lessons Learned
- **Key takeaways:** Post-install scripts in software packages remain a highly effective vector for supply chain attacks, capable of bypassing initial perimeter defenses. The weaponization of trusted development tools (AI CLIs) significantly augmented the attackers' reconnaissance capabilities.
- **What could have been done better:** Relying on base64 encoding provided minimal actual security, as the data was quickly rendered public. Organizations must rapidly vet package updates, especially those executed with high privileges during installation or build.
## Recommendations
- **Prevention measures for similar incidents:** Implement strict controls (e.g., dependency scanning, software composition analysis) for all third-party packages. Isolate build environments to prevent secrets exposure during package installation. Audit developer workstations for unusual shell modifications or unauthorized repository creation on developer accounts. Users should be strongly discouraged from using dangerous flags (e.g., `--yolo`, `--dangerously-skip-permissions`) with AI CLI tools.