On August 26, 2025, the npm registry was compromised, and multiple malicious versions of the highly prevalent Nx build system package (@nrwl/nx, nx, and related modules) were published. These versions contained a post-install script (telemetry.js) that silently executed on Linux and macOS systems. The payload stealthily harvested extremely sensitive developer assets such as cryptocurrency wallets, GitHub and npm tokens, SSH keys, and more.
The threat was especially insidious: the malware weaponized AI CLI tools (like Claude, Gemini, Q) using reckless flags (--dangerously-skip-permissions, --yolo, --trust-all-tools) to escalate reconnaissance and exfiltration. The stolen credentials and files were encoded (double- and triple-base64) and published to attacker-controlled GitHub repos, often named s1ngularity-repository, -0, or -1, making them publicly accessible.
GitHub moved swiftly, and on August 27, 2025 at 9 AM UTC, they disabled all known attacker-created repositories, but that was about 8 hours after the event.
Which versions were affected?
Affected packages include, but are not limited to:
@nrwl/nx,nx: versions 20.9.0, 20.10.0, 20.11.0, 20.12.0, 21.5.0, 21.6.0, 21.7.0, 21.8.0@nx/devkit: 21.5.0, 20.9.0@nx/enterprise-cloud: 3.2.0@nx/eslint: 21.5.0@nx/js: 21.5.0, 20.9.0@nx/key: 3.2.0@nx/node: 21.5.0, 20.9.0@nx/workspace: 21.5.0, 20.9.0
The scope of the compromise was vast. In some cases, the malware ran on developer machines via the NX VSCode extension; in others, it was executed inside build pipelines, such as GitHub Actions.
What It Meant
This incident highlighted the devastating potential of modern, AI-empowered supply-chain attacks. By installing a trusted package and without triggering obvious alarms, developers inadvertently exposed countless sensitive assets. With attacker repositories publicly exposed, data escape makes this real and tangible.
Exaforce’s response: Rapid and proactive
Assurance of no customer impact
Immediately upon learning of the attack, the Exaforce MDR team conducted proactive checks across its customer environments. The results were clear and reassuring:
- No customers had installed any of the compromised Nx package versions.
- No malicious repositories had been created or existed within any customer GitHub accounts, infrastructure, or pipelines.
This proactive verification meant that, to date, no customer has been impacted by this supply-chain compromise. We quickly informed customers via their preferred messaging platforms that the attack did not impact them.
Enhanced risk monitoring
To strengthen defenses against future supply-chain compromises, Exaforce has deployed a new Supply Chain Security risk rule. This rule continuously scans customer environments for suspicious repository patterns similar to those used in the recent @nrwl/nx compromise.
Specifically, it flags repositories matching the malicious repository based on the naming convention used, which attackers used to publish exfiltrated secrets and stolen credentials. By surfacing these high-risk patterns early, the rule enables teams to quickly review, validate, and remove unauthorized repositories before they can be weaponized.
Rapid and simple investigation
Exabot Search also allows analysts to quickly check for the potential impact of events like the Nx supply chain attack across your entire environment. You can search for IoCs with a query such as `Can you go through this blog about a github vulnerability: https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware. Please extract the indicators of compromise and tell me if i am impacted in my environment?`. Exabot Search will correlate events from different sources and return results in a structured, easy-to-read format. This reduces the time needed to determine whether an incident or new threat affects your systems.
See the workflow in the demo below:
Final thoughts
The s1ngularity incident is a sobering reminder of how modern threat actors are innovating with AI tools and exploiting supply-chain trust. Exaforce’s swift response, verifying zero customer exposure and proactively enhancing detection mechanisms, demonstrates how vigilance and responsive action can turn a potential disaster into a controlled event. By staying alert, preparing risk-based detection rules, and monitoring behaviors, not just packages, we ensure that even next-generation attacks are caught early.
