CyberHappenings logo
🏠 Home 📂 Browse ℹ️ About

Malicious nx Packages Exfiltrate 2,349 GitHub, Cloud, and AI Credentials in Supply Chain Attack

First reported
Last updated
📰 3 unique sources, 3 articles

Summary

Hide ▲

A supply chain attack on the nx build system compromised multiple npm packages, leading to the exfiltration of 2,349 GitHub, cloud, and AI credentials. The attack unfolded in three distinct phases, impacting 2,180 accounts and 7,200 repositories. The attack exploited a vulnerable workflow in the nx repository to publish malicious versions of the nx package and supporting plugins. The compromised packages scanned file systems for credentials and sent them to attacker-controlled GitHub repositories. The attack impacted over 1,346 repositories and affected Linux and macOS systems. The nx maintainers identified the root cause as a vulnerable workflow added on August 21, 2025, that allowed for the injection of executable code via a pull request title. The malicious packages were published on August 26, 2025, and have since been removed from the npm registry. The attackers leveraged the GITHUB_TOKEN to trigger the publish workflow and exfiltrate the npm token. The malicious postinstall script scanned systems for text files, collected credentials, and sent them to publicly accessible GitHub repositories. The script also modified .zshrc and .bashrc files to shut down the machine immediately upon user interaction. The nx maintainers have rotated npm and GitHub tokens, audited activities, and updated publish access to require two-factor authentication. Wiz researchers identified a second attack wave impacting over 190 users/organizations and over 3,000 repositories. The second wave involved making private repositories public and creating forks to preserve data. GitGuardian's analysis revealed that 33% of compromised systems had at least one LLM client installed, and 85% were running Apple macOS. The attack took approximately four hours from start to finish. AI-powered CLI tools were used to dynamically scan for high-value secrets. The malware created public repositories on GitHub to store stolen data. The attack impacted over 1,000 developers, exfiltrating around 20,000 sensitive files. The malware modified shell startup files to crash systems upon terminal access. The attack was detected by multiple cybersecurity vendors. The malicious packages were removed from npm at 2:44 a.m. UTC on August 27, 2025. GitHub disabled all singularity-repository instances by 9 a.m. UTC on August 27, 2025. Around 90% of leaked GitHub tokens remain active as of August 28, 2025.

Timeline

  1. 06.09.2025 17:11 📰 1 articles

    Nx Team Implements Enhanced Security Measures

    The Nx team has implemented several security enhancements in response to the attack. These include adopting NPM's Trusted Publisher model, which eliminates token-based publishing, and adding manual approval for PR-triggered workflows. These measures aim to prevent future compromises and strengthen the security of the nx build system. The attackers used AI-powered CLI tools to dynamically scan for high-value secrets, evolving their techniques over time. The Nx team's response includes rotating npm and GitHub tokens, auditing activities, and updating publish access to require two-factor authentication. These actions are part of a broader effort to mitigate the impact of the attack and enhance the security of the nx ecosystem.

    Show sources
    Open in new tab
  2. 28.08.2025 21:39 📰 1 articles

    AI-Powered Stealer Exfiltrates 20,000 Sensitive Files

    The attack took approximately four hours from start to finish. AI-powered CLI tools were used to dynamically scan for high-value secrets. The malware created public repositories on GitHub to store stolen data. The attack impacted over 1,000 developers, exfiltrating around 20,000 sensitive files. The malware modified shell startup files to crash systems upon terminal access. The attack was detected by multiple cybersecurity vendors. The malicious packages were removed from npm at 2:44 a.m. UTC on August 27, 2025. GitHub disabled all singularity-repository instances by 9 a.m. UTC on August 27, 2025. Around 90% of leaked GitHub tokens remain active as of August 28, 2025.

    Show sources
    Open in new tab
  3. 28.08.2025 13:36 📰 3 articles

    Malicious nx Packages Exfiltrate 2,349 GitHub, Cloud, and AI Credentials in Supply Chain Attack

    A supply chain attack on the nx build system compromised multiple npm packages, leading to the exfiltration of 2,349 GitHub, cloud, and AI credentials. The attack exploited a vulnerable workflow in the nx repository to publish malicious versions of the nx package and supporting plugins. The compromised packages scanned file systems for credentials and sent them to attacker-controlled GitHub repositories. The attack impacted over 1,346 repositories and affected Linux and macOS systems. The nx maintainers identified the root cause as a vulnerable workflow added on August 21, 2025, that allowed for the injection of executable code via a pull request title. The malicious packages were published on August 26, 2025, and have since been removed from the npm registry. The attackers leveraged the GITHUB_TOKEN to trigger the publish workflow and exfiltrate the npm token. The malicious postinstall script scanned systems for text files, collected credentials, and sent them to publicly accessible GitHub repositories. The script also modified .zshrc and .bashrc files to shut down the machine immediately upon user interaction. The attack unfolded in three distinct phases, impacting 2,180 accounts and 7,200 repositories. The first phase impacted 1,700 users, leaking over 2,000 unique secrets and 20,000 files. The second phase compromised an additional 480 accounts, exposing 6,700 private repositories. The third phase targeted a single victim organization, publishing an additional 500 private repositories. The attackers used AI-powered CLI tools to dynamically scan for high-value secrets, evolving their techniques over time. The Nx team adopted NPM's Trusted Publisher model and added manual approval for PR-triggered workflows to prevent future compromises. The nx maintainers have rotated npm and GitHub tokens, audited activities, and updated publish access to require two-factor authentication. Wiz researchers identified a second attack wave impacting over 190 users/organizations and over 3,000 repositories. The second wave involved making private repositories public and creating forks to preserve data. GitGuardian's analysis revealed that 33% of compromised systems had at least one LLM client installed, and 85% were running Apple macOS. The attack took approximately four hours from start to finish. AI-powered CLI tools were used to dynamically scan for high-value secrets. The malware created public repositories on GitHub to store stolen data. The attack impacted over 1,000 developers, exfiltrating around 20,000 sensitive files. The malware modified shell startup files to crash systems upon terminal access. The attack was detected by multiple cybersecurity vendors. The malicious packages were removed from npm at 2:44 a.m. UTC on August 27, 2025. GitHub disabled all singularity-repository instances by 9 a.m. UTC on August 27, 2025. Around 90% of leaked GitHub tokens remain active as of August 28, 2025.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Cursor AI editor autoruns malicious code in repositories

A flaw in the Cursor AI editor allows malicious code in repositories to autorun on developer devices. This vulnerability can lead to malware execution, environment hijacking, and credential theft. The issue arises from Cursor disabling the Workspace Trust feature from VS Code, which prevents automatic task execution without explicit user consent. The flaw affects one million users who generate over a billion lines of code daily. The Cursor team has decided not to fix the issue, citing the need to maintain AI and other features. They recommend users enable Workspace Trust manually or use basic text editors for unknown projects. The flaw is part of a broader trend of prompt injections and jailbreaks affecting AI-powered coding tools.

Open in new tab

TOR-based Cryptojacking Campaign Targets Misconfigured Docker APIs

A new variant of a TOR-based cryptojacking campaign targets misconfigured Docker APIs to propagate malware. The attack chain involves exploiting exposed Docker instances to deploy XMRig miners and reconnaissance tools. The malware also scans for additional ports and attempts to propagate via Telnet and Chromium remote debugging ports. The campaign may be setting up a complex botnet. The attack leverages Base64-encoded payloads and TOR domains for anonymity. It includes a dropper written in Go that parses user login information and uses Masscan for further propagation. The malware's source code includes an emoji, suggesting it may have been crafted using a large language model (LLM). The attackers mount the host root to the fresh container, allowing them to manipulate the host system and escape the container. The attackers modify the SSH configuration of the host system to elevate privileges and provide backdoor access. The attackers create a cron job that executes every minute to block access to the Docker API’s port 2375, denying other attackers future access to the exposed instance. The threat actors deploy tools to perform mass scans for other open 2375 ports, which are used for malware propagation through the creation of new containers using the identified exposed APIs. The malware installs curl and tor, launches a Tor daemon, and waits for confirmation of the connection by accessing Amazon's checkip.amazonaws.com service over a SOCKS5 proxy. The malware appends an attacker-controlled public key to /root/.ssh/authorized_keys on the mounted host filesystem to enable persistent SSH access. The malware writes a base64-encoded cron job on the host, which executes every minute and blocks external access to port 2375 using available firewall utilities. The malware downloads a Zstandard-compressed Go binary over Tor, decompresses it, and runs it as a dropper. The Go binary parses the host’s utmp file to identify logged-in users. The malware attempts to infect other exposed Docker APIs and removes competitor containers after gaining access. The malware includes inactive logic for exploiting Telnet (port 23) using default router credentials and for interacting with Chrome’s remote debugging interface (port 9222). The malware's behavior suggests it is an initial version of a complex botnet with capabilities for lateral movement, persistence, and potential future expansion for credential theft and browser hijacking. The campaign highlights the importance of securing Docker APIs and segmenting networks to prevent such attacks.

Open in new tab

Malicious npm Packages Target Ethereum Developers, Steal Wallet Keys

Four malicious npm packages impersonating legitimate cryptographic utilities and Flashbots infrastructure have been discovered. These packages, uploaded by a user named 'flashbotts', exfiltrate private keys and mnemonic seeds to a Telegram bot controlled by the threat actor. The packages were uploaded between September 2023 and August 2025 and remain available for download. The packages are designed to steal cryptocurrency wallet credentials from Ethereum developers, leveraging the trust associated with the Flashbots platform. The most dangerous package, '@flashbotts/ethers-provider-bundle', redirects unsigned transactions to an attacker-controlled wallet and logs metadata from pre-signed transactions. Other packages, such as 'sdk-ethers' and 'flashbot-sdk-eth', also exfiltrate private keys and mnemonic seed phrases. The threat actor's Vietnamese language comments in the source code suggest a financially motivated attack, targeting the Ethereum ecosystem's trust to conduct software supply chain attacks.

Open in new tab

TAG-150 Expands Operations with CastleRAT in Python and C

The threat actor TAG-150, known for CastleLoader malware, has developed a new remote access trojan named CastleRAT. CastleRAT is available in both Python and C variants, and it is used to collect system information, execute commands, and download additional payloads. CastleRAT's development began in March 2025, and it is part of a multi-tiered infrastructure used by TAG-150. The malware is distributed through phishing attacks, fraudulent GitHub repositories, and other methods. The Python variant, also known as PyNightshade, and the C variant have different capabilities. The C variant includes keylogging, screenshot capture, file upload/download, and cryptocurrency clipper functionality. CastleRAT uses Steam Community profiles as dead drop resolvers for command-and-control (C2) servers. TAG-150 has been active since at least March 2025, using CastleLoader as an initial access vector for various secondary payloads, including remote access trojans, information stealers, and other loaders. TAG-150's operations have targeted critical infrastructure, including U.S. government agencies, and have been linked to a Play Ransomware attack against a French organization. The group's MaaS operation is likely promoted within closed circles, indicating a sophisticated and connected user base. TAG-150 is likely to develop and release additional malware in the near term and expand its distribution efforts.

Open in new tab

Multi-year phishing-as-a-service operation on Google Cloud and Cloudflare

A large-scale phishing-as-a-service (PhaaS) operation has been running undetected for over three years on Google Cloud and Cloudflare platforms. The scheme involved 48,000 hosts and 80 clusters, using expired domains to impersonate high-profile brands and deliver malware and gambling content. The operation exposed companies to regulatory and legal risks and victims to credential theft and data exposure. The campaign was discovered by Deep Specter Research, which found that the operation used cloaking techniques to manipulate search engine rankings and hide illicit content. The infrastructure included 86 physical IP addresses on Google Cloud in Hong Kong and Taiwan, along with 44,000 virtual IP addresses from Google Cloud and 4,000 from other providers. The operation impacted 200 known organizations, including Fortune 500 companies. The discovery highlights the need for companies to actively monitor and secure their expired or dormant domains to prevent such abuses.

Open in new tab