At least one bad actor is targeted the Nx build system package in a supply chain attack this week, in which they stole a Nx NPM token that allowed them to publish malicious versions of the package to the registry and steal credentials and other data.
The maintainers of the Nx this week alerted users to the attack, writing that “malicious versions of the Nx package, as well as some supporting plugin packages, were published to npm, containing code that scans the file system, collects credentials, and posts them to GitHub as a repo under user’s accounts.”
At the center of the attack – which was named “s1ngularity” – was the introduction of a vulnerable workflow on August 21, according to the alert. The workflow enabled an attacker to inject executable code. They said the vulnerability was reverted to the master branch almost immediately after it was determined to be malicious, but the move wasn’t enough. The bad actor was able to make a pull request that targeted an outdated branch that included the vulnerable workflow. It was through that branch that the attack was launched.
A day after the vulnerable workflow was introduced, the Nx team saw a post on X (formerly Twitter) that noted the workflow contained an injection exploit, and they reverted it. However, the flaw was still exploited on August 24, and moves were made over two days to fix the issues and shore up protections.
A Second Wave of Attack
However, security researchers with cybersecurity firms Wiz and StepSecurity – pointing to alerts from security researchers Brian Kohan and Adnan Khan – wrote on August 28 about a second wave of attack from Nx leaked credentials. In an update to a blog, the Wiz researchers wrote that an attacker – whether the same or another one – “appears to be using the previously compromised GitHub tokens to turn private repositories public and rename them to the pattern s1ngularity-repository-#5letters#.”
Nx is an open source and technology-agnostic build platform that developers use to manage codebases at scale. It’s a popular package in NPM, with more than 3.5 million downloads every week.
An Outdated Branch
According to the Nx maintainers, the day after the vulnerable workflow was reverted, they saw that a pull request (PR) was made on a fork of the nrwl/nx repository targeting the outdated branch and stealing a GITHUB_TOKEN with read/write repository permissions.
“Retroactively (we were not aware of this event until later), from our Github audit logs, we saw a PR was created from a fork to the nrwl/nx repo with the malicious commit which triggers the PR validation workflow with a PR title which injects and executes malicious code,” they wrote on GitHub, adding that the pull request has been deleted.
Also from their GitHub audit logs, they saw a different workflow – publish.yml – believing “this publish.yml workflow was triggered by the PR validation workflow stemming from the PR creation.”
They called publish.yml their “most permissive pipeline. It is responsible for publishing the Nx packages and therefore has access to the npm token via a GitHub Secret.” They ensured that within the pipeline, only their team could use it. However, with the elevated permissions from the pull request validation workflow, the publish.yml workflow was used to run on the nrwl/nx repository.
Eight malicious Nx packages, August 26 and later, with all of the NPM tokens that had permissions to publish being revoked. Soon after, all NPM packages under Nx were set to require two-factor authentication and could no longer be published with NPM tokens, with the maintainers adding that “all NPM packages have also been changed to use the new Trusted Publisher mechanism, which does not utilize NPM tokens.”
Attack Methods are Evolving
GitGuardian researchers wrote that “this supply chain attack combines credential theft, environmental sabotage, and novel attack vectors, offering a glimpse into future threats. The malicious Nx packages systematically scanned infected systems for valuable credentials, including GitHub tokens, npm authentication keys, SSH private keys, environment variable API keys, and cryptocurrency wallet files.”
The scanning function searched common file locations and environment variables, showing what they called a “comprehensive approach to credential harvesting” used to enable lateral movement. The stolen credentials were then posted to public GitHub repositories with the “s1ngularity-repository” name. They used a double-base64 encoding process that the researchers wrote suggested an effort to evade detection.
“One particularly novel element was the attempt to leverage LLM (Large Language Model) clients as vectors for enumerating secrets on victims’ machines,” they wrote. “The attackers specifically targeted configuration files and authentication tokens related to popular AI CLI tools like Claude, Gemini, and Q, recognizing that these tools often require elevated permissions and access to sensitive development environments.”
Thousands of Secrets Leaked
GitGuardian said they detected 1,346 repositories in the s1ngularity attack and 2,349 secrets were leaked, with the bulk being GitHub OAuth keys and personal access tokens. Others included Google AI, Amazon Web Services, OpenAI, and Anthropic’s Claude.
Wiz researchers said 90% of the more than 1,000 GitHub tokens that were leaked are still valid.
They noted that in the second wave – which appears to be suspended, they wrote today – more than 400 users and organizations were and more than 5,500 repositories were published.
“In a second phase, an attacker used the leaked GitHub tokens from phase one to make victim’s private repositories public,” they wrote. “These changes appeared to be driven by a single-threaded automation, running between August 28 and 29.”
A Sophisticated Supply Chain Attack
Researchers with StepSecurity echoed GitGuardian’s statements about the changing nature of supply-chain attacks represented by the s1ngularity incident.
“Given the popularity of the Nx ecosystem, and the novelty of AI tool abuse, this incident highlights the evolving sophistication of supply chain attacks,” they wrote. “The malware did more than just steal SSH keys, npm tokens, and .gitconfig files – it weaponized AI CLI tools (including Claude, Gemini, and q) to aid in reconnaissance and data exfiltration. This marks the first known case where attackers have turned developer AI assistants into tools for supply chain exploitation.”
