Nx NPM packages poisoned in AI-assisted supply chain attack
(2025/08/27)
- Reference: 1756316055
- News link: https://www.theregister.co.uk/2025/08/27/nx_npm_supply_chain_attack/
- Source link:
Nx is the latest target of a software supply chain attack in the NPM ecosystem, with multiple malicious versions being uploaded to the NPM registry on Tuesday evening.
According to [1]researchers at Wiz , those poisoned packages were laden with malware designed to siphon secrets from developers, such as GitHub and NPM tokens, SSH keys, and cryptocurrency wallet details.
Nx's [2]security advisory , posted to GitHub, which details the affected versions, states that successful credential harvesting then led to those credentials being posted to GitHub as new public-facing repos under the corresponding user accounts.
[3]
With a self-proclaimed 24 million NPM downloads per month, a successful supply chain attack on Nx, an open source codebase management platform, could in theory capture the details of myriad developers.
[4]
[5]
"Given the popularity of the Nx ecosystem, and the novelty of AI tool abuse, this incident highlights the evolving sophistication of supply chain attacks," said Ashish Kurmi, co-founder of StepSecurity, in a [6]blog post .
"Immediate remediation is critical for anyone who installed the compromised versions."
[7]
Wiz said the repos containing the stolen secrets remained alive and freely available to download for around eight hours before GitHub intervened by identifying and disabling them all.
As for how the attacker gained access to Nx's NPM account, Wiz said it currently believes that a token, which had publishing rights to the compromised packages, was compromised through unspecified means.
However, it said all maintainers had [8]two-factor authentication (2FA) enabled on their accounts at the time of the attack, although 2FA was not required to publish, and was being monitored by a provenance mechanism that verifies which publications were legitimate.
[9]
Nx, which asserts that its platform is used by more than 70 percent of Fortune 500 companies, did not say how many users are thought to have been compromised.
Wiz, on the other hand, told The Register via email that more than 1,000 valid GitHub tokens were leaked and around 20,000 files stolen and exposed, as well as dozens of valid cloud credentials and NPM tokens.
According to the project maintainer's timeline, the malicious packages started being published to NPM at 2232 UTC on August 26, with subsequent publications continuing until just over two hours later.
NPM was alerted at 0258 UTC and in less than an hour it had removed all the affected versions.
Users thought to be affected by the attack are encouraged to contact Nx, whose support team can help confirm what data was compromised.
First-of-a-kind
Researchers pointed out that the NPM supply chain attack, for which there are unfortunately [10]many [11]cases [12]in [13]recent [14]history , had a unique characteristic.
Kurmi said the abuse of locally installed generative AI CLIs, such as [15]Claude , [16]Gemini , and [17]Q , presented a novel method of attack to bypass defenses.
[18]Someone's poking the bear with infostealers targeting Russian crypto developers
[19]Rampant emoji use suggests crypto-stealing NPM package was written by AI
[20]Freelance dev shop Toptal caught serving malware after GitHub account break-in
[21]Not pretty, not Windows-only: npm phishing attack laces popular packages with malware
"To our knowledge, this is one of the first documented cases of malware coercing AI‑assistant CLIs to assist in reconnaissance.
"This technique forces the AI tools to recursively scan the file system and write discovered sensitive file paths to /tmp/inventory.txt, effectively using legitimate tools as accomplices in the attack."
Charlie Eriksen, a malware researcher at Aikido, also [22]said the Nx supply chain attack is the first time he had seen the technique in action, and that it may offer suggestions as to how attackers adjust their tradecraft for the future.
The researcher also noted that beyond data-harvesting code, the malicious packages also added a shutdown command to victims' startup files, which would force their machines to shut down upon logging in.
"The fact that the attacker decided to add the shutdown command into people's shell may have contributed to how quickly the issue was noticed, and limited the impact," he said.
"It's very concerning they decided to publish all the stolen data publicly, as this puts more GitHub and NPM tokens into the hands of malicious threat actors, who will be able to conduct more attacks like this.
"There's a real risk that this could just be the first wave of this attack, and there will be more to come. We will be monitoring the situation actively." ®
Get our [23]Tech Resources
[1] https://www.wiz.io/blog/s1ngularity-supply-chain-attack
[2] https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/devops&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aK9_9lKwEP6FaQtMSQTlBAAAAIk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/devops&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aK9_9lKwEP6FaQtMSQTlBAAAAIk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/devops&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aK9_9lKwEP6FaQtMSQTlBAAAAIk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/devops&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aK9_9lKwEP6FaQtMSQTlBAAAAIk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/03/26/ncsc_influencers_2fa/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/devops&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aK9_9lKwEP6FaQtMSQTlBAAAAIk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2025/04/23/ripple_npm_supply_chain/
[11] https://www.theregister.com/2025/08/01/emoji_use_ai_malware/
[12] https://www.theregister.com/2025/02/13/north_korea_npm_crypto/
[13] https://www.theregister.com/2024/11/05/typosquatting_npm_campaign/
[14] https://www.theregister.com/2022/03/24/developers_using_microsoft_azure_targeted/
[15] https://www.theregister.com/2025/08/26/anthropic_claude_chrome_warnings/
[16] https://www.theregister.com/2025/08/26/google_gemini_ai_images/
[17] https://www.theregister.com/2025/08/20/amazon_quietly_fixed_q_developer_flaws/
[18] https://www.theregister.com/2025/08/18/solana_infostealer_npm_malware/
[19] https://www.theregister.com/2025/08/01/emoji_use_ai_malware/
[20] https://www.theregister.com/2025/07/25/toptal_malware_attack/
[21] https://www.theregister.com/2025/07/24/not_pretty_not_windowsonly_npm/
[22] https://www.aikido.dev/blog/popular-nx-packages-compromised-on-npm
[23] https://whitepapers.theregister.com/
According to [1]researchers at Wiz , those poisoned packages were laden with malware designed to siphon secrets from developers, such as GitHub and NPM tokens, SSH keys, and cryptocurrency wallet details.
Nx's [2]security advisory , posted to GitHub, which details the affected versions, states that successful credential harvesting then led to those credentials being posted to GitHub as new public-facing repos under the corresponding user accounts.
[3]
With a self-proclaimed 24 million NPM downloads per month, a successful supply chain attack on Nx, an open source codebase management platform, could in theory capture the details of myriad developers.
[4]
[5]
"Given the popularity of the Nx ecosystem, and the novelty of AI tool abuse, this incident highlights the evolving sophistication of supply chain attacks," said Ashish Kurmi, co-founder of StepSecurity, in a [6]blog post .
"Immediate remediation is critical for anyone who installed the compromised versions."
[7]
Wiz said the repos containing the stolen secrets remained alive and freely available to download for around eight hours before GitHub intervened by identifying and disabling them all.
As for how the attacker gained access to Nx's NPM account, Wiz said it currently believes that a token, which had publishing rights to the compromised packages, was compromised through unspecified means.
However, it said all maintainers had [8]two-factor authentication (2FA) enabled on their accounts at the time of the attack, although 2FA was not required to publish, and was being monitored by a provenance mechanism that verifies which publications were legitimate.
[9]
Nx, which asserts that its platform is used by more than 70 percent of Fortune 500 companies, did not say how many users are thought to have been compromised.
Wiz, on the other hand, told The Register via email that more than 1,000 valid GitHub tokens were leaked and around 20,000 files stolen and exposed, as well as dozens of valid cloud credentials and NPM tokens.
According to the project maintainer's timeline, the malicious packages started being published to NPM at 2232 UTC on August 26, with subsequent publications continuing until just over two hours later.
NPM was alerted at 0258 UTC and in less than an hour it had removed all the affected versions.
Users thought to be affected by the attack are encouraged to contact Nx, whose support team can help confirm what data was compromised.
First-of-a-kind
Researchers pointed out that the NPM supply chain attack, for which there are unfortunately [10]many [11]cases [12]in [13]recent [14]history , had a unique characteristic.
Kurmi said the abuse of locally installed generative AI CLIs, such as [15]Claude , [16]Gemini , and [17]Q , presented a novel method of attack to bypass defenses.
[18]Someone's poking the bear with infostealers targeting Russian crypto developers
[19]Rampant emoji use suggests crypto-stealing NPM package was written by AI
[20]Freelance dev shop Toptal caught serving malware after GitHub account break-in
[21]Not pretty, not Windows-only: npm phishing attack laces popular packages with malware
"To our knowledge, this is one of the first documented cases of malware coercing AI‑assistant CLIs to assist in reconnaissance.
"This technique forces the AI tools to recursively scan the file system and write discovered sensitive file paths to /tmp/inventory.txt, effectively using legitimate tools as accomplices in the attack."
Charlie Eriksen, a malware researcher at Aikido, also [22]said the Nx supply chain attack is the first time he had seen the technique in action, and that it may offer suggestions as to how attackers adjust their tradecraft for the future.
The researcher also noted that beyond data-harvesting code, the malicious packages also added a shutdown command to victims' startup files, which would force their machines to shut down upon logging in.
"The fact that the attacker decided to add the shutdown command into people's shell may have contributed to how quickly the issue was noticed, and limited the impact," he said.
"It's very concerning they decided to publish all the stolen data publicly, as this puts more GitHub and NPM tokens into the hands of malicious threat actors, who will be able to conduct more attacks like this.
"There's a real risk that this could just be the first wave of this attack, and there will be more to come. We will be monitoring the situation actively." ®
Get our [23]Tech Resources
[1] https://www.wiz.io/blog/s1ngularity-supply-chain-attack
[2] https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/devops&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aK9_9lKwEP6FaQtMSQTlBAAAAIk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/devops&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aK9_9lKwEP6FaQtMSQTlBAAAAIk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/devops&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aK9_9lKwEP6FaQtMSQTlBAAAAIk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/devops&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aK9_9lKwEP6FaQtMSQTlBAAAAIk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/03/26/ncsc_influencers_2fa/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/devops&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aK9_9lKwEP6FaQtMSQTlBAAAAIk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2025/04/23/ripple_npm_supply_chain/
[11] https://www.theregister.com/2025/08/01/emoji_use_ai_malware/
[12] https://www.theregister.com/2025/02/13/north_korea_npm_crypto/
[13] https://www.theregister.com/2024/11/05/typosquatting_npm_campaign/
[14] https://www.theregister.com/2022/03/24/developers_using_microsoft_azure_targeted/
[15] https://www.theregister.com/2025/08/26/anthropic_claude_chrome_warnings/
[16] https://www.theregister.com/2025/08/26/google_gemini_ai_images/
[17] https://www.theregister.com/2025/08/20/amazon_quietly_fixed_q_developer_flaws/
[18] https://www.theregister.com/2025/08/18/solana_infostealer_npm_malware/
[19] https://www.theregister.com/2025/08/01/emoji_use_ai_malware/
[20] https://www.theregister.com/2025/07/25/toptal_malware_attack/
[21] https://www.theregister.com/2025/07/24/not_pretty_not_windowsonly_npm/
[22] https://www.aikido.dev/blog/popular-nx-packages-compromised-on-npm
[23] https://whitepapers.theregister.com/