nx-build
Nx Build "s1ngularity" Supply Chain Attack
The s1ngularity incident began with a vulnerable Nx GitHub Actions workflow that combined pull_request_target privileges with shell injection in pull-request metadata. The attacker used it to trigger publish.yml, run a malicious commit that leaked the npm token, and publish 19 malicious nx and @nx package versions. The postinstall payload harvested developer, GitHub/npm, SSH, environment, and wallet secrets, used local AI CLI tools to help find sensitive files, and exfiltrated data through public s1ngularity-repository GitHub repos. It also appended a shutdown command to shell startup files. Nx Console VS Code versions 18.63.x-18.65.x widened exposure by running nx@latest during the malicious publish window.
- Date
- 2025-08-26 to 2025-08-27
- Category
- Open Source
- Target Surface
- Package registry
- Insertion Phase
- distribution
- Impact
- Data Exfiltration
- Cause
- CI/CD Exploit
What Was Affected
Compromised Versions
- nx@20.9.0
- nx@20.10.0
- nx@20.11.0
- nx@20.12.0
- nx@21.5.0
- nx@21.6.0
- nx@21.7.0
- nx@21.8.0
- @nx/devkit@20.9.0
- @nx/devkit@21.5.0
- @nx/enterprise-cloud@3.2.0
- @nx/eslint@21.5.0
- @nx/js@20.9.0
- @nx/js@21.5.0
- @nx/key@3.2.0
- @nx/node@20.9.0
- @nx/node@21.5.0
- @nx/workspace@20.9.0
- @nx/workspace@21.5.0
- Nx Console VS Code extension 18.63.x-18.65.x
Incident Context
- Motive
- Credential Theft/Data Exfiltration
- Attribution
- Third Party
- Transitive
- No
- User Impact
- 0
- Observed Duration
- 1 days
Evidence
Compromised Artifacts
- github.com/nrwl/nx/commit/3905475cfd0e0ea670e20c6a9eaeb768169dc33d
- github.com/search
- github.com/nrwl/nx/issues/32522
Current Artifacts and Analysis
Indicators and Changes
Commits
External References
Source Data
Source record: oss/nx-build/meta.yaml