CRITICALSupply chainexploited in the wild

GHSA-CXM3-WV7P-598C

npm · nx, @nx/devkit, @nx/js, @nx/workspace, @nx/node, @nx/eslint

Summary

On August 26, 2025, attackers exploited a vulnerable GitHub Actions workflow (added Aug 21) susceptible to code injection via a crafted pull-request title to steal Nx's npm publishing token, then published malicious versions of nx (21.5.0, 20.9.0 and others) and several @nx plugins. The malware scanned the filesystem, collected credentials, npm/GitHub tokens, SSH keys and cryptocurrency wallets, and posted them to public GitHub repositories under victim accounts. Dubbed 's1ngularity', it was the first known supply chain attack to weaponize installed AI CLI tools (Claude, Gemini, q) for reconnaissance. The packages were live for about four hours and thousands of secrets were leaked.

References

https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c
https://snyk.io/blog/weaponizing-ai-coding-agents-for-malware-in-the-nx-malicious-package/
https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware

Related vulnerabilities

All Supply chain →

CRITICALGHSA-365W-HQF6-VXFG
Crawl4AI: Multiple Docker API Vulnerabilities - File Write, SSRF, Auth Bypass, XSS, JS Execution
CRITICALGHSA-QXJP-W3PJ-48M7
Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API
CRITICALGHSA-V5FF-9Q35-Q26F
Langflow: Unauthenticated RCE in Shareable Playgrounds
HIGHGHSA-Q8GQ-377P-JQ3R
vLLM: Security Check Bypass via assert Statement in Activation Function Loading Allows Arbitrary Code Execution
CRITICALNPM-SHAI-HULUD-2-2025
A renewed wave of the Shai-Hulud worm, dubbed Shai-Hulud 2.0 or 'The Second Coming', began around November 21-24, 2025 and affected tens of thousands of GitHub repositories across roughly 350 unique users. The variant moved execution to the pre-install phase, dropped large heavily obfuscated payloads (setup_bun.js and bun_environment.js), and exfiltrated stolen secrets to public GitHub repositories described as 'Sha1-Hulud: The Second Coming'. As an aggressive fallback, it attempted to destroy the victim's entire home directory if credential theft failed.
CRITICALNPM-SHAI-HULUD-2025
Shai-Hulud was the first self-replicating worm to hit the npm ecosystem, disclosed around September 15, 2025. Beginning with the compromise of @ctrl/tinycolor (over 2 million weekly downloads), the malware harvested developer credentials (npm tokens, GitHub PATs, and AWS/GCP/Azure secrets) using the TruffleHog secret scanner, then automatically authenticated to npm and republished trojanized versions of every package the victim maintained, spreading exponentially without operator intervention. It exfiltrated stolen secrets to attacker webhooks and public GitHub repositories and established persistence via a malicious GitHub Actions workflow. More than 500 packages were ultimately compromised, including several CrowdStrike packages.