Wiz says Nx s1ngularity hit by network compromise
Incident
Summary
Hide ▲
Show ▼
A Wiz post-incident evaluation of the Nx "s1ngularity" supply-chain attack found that compromise of the Nx NPM ecosystem exposed 2,180 accounts and 7,200 repositories across three phases. The attack began on August 26, 2025, when attackers abused a flawed GitHub Actions workflow to publish a malicious package carrying telemetry.js. The payload acted as a credential stealer on Linux and macOS, targeting GitHub tokens, npm tokens, SSH keys, .env files, and crypto wallets. Stolen secrets were then used to flip private repositories public and widen the blast radius, while many leaked secrets remained valid and the impact continued to unfold.
Related Happenings
Bitwarden hit by network compromise
Incident
First: 23.04.2026 22:21
Last: 23.04.2026 22:21
Sources 1
About this happening:
**Bitwarden**'s **@bitwarden/cli** distribution channel was compromised when a malicious package briefly appeared on **npm**, putting developers who installed it at risk of **cred...
Bitwarden hit by network compromise
IncidentAbout this happening: **Bitwarden**'s **@bitwarden/cli** distribution channel was compromised when a malicious package briefly appeared on **npm**, putting developers who installed it at risk of **cred...
Prt-scan GitHub Actions secret-theft campaign
Campaign
First: 22.04.2026 20:33
Last: 22.04.2026 20:33
Sources 1
About this happening:
The **prt-scan** campaign has been systematically abusing **pull_request_target** GitHub Actions workflows to steal developer secrets and, when possible, publish **malicious packa...
Prt-scan GitHub Actions secret-theft campaign
CampaignAbout this happening: The **prt-scan** campaign has been systematically abusing **pull_request_target** GitHub Actions workflows to steal developer secrets and, when possible, publish **malicious packa...
Prt-scan GitHub pull_request_target supply-chain campaign
Campaign
First: 07.04.2026 00:38
Last: 07.04.2026 00:38
Sources 1
About this happening:
The **prt-scan** campaign used **AI-assisted automation** to scale a broad **GitHub supply-chain** operation, increasing risk for repositories configured with `pull_request_target...
Prt-scan GitHub pull_request_target supply-chain campaign
CampaignAbout this happening: The **prt-scan** campaign used **AI-assisted automation** to scale a broad **GitHub supply-chain** operation, increasing risk for repositories configured with `pull_request_target...
UNC1069 open-source maintainer social-engineering campaign
Campaign
First: 04.04.2026 23:30
Last: 04.04.2026 23:30
Sources 1
About this happening:
UNC1069's **coordinated social-engineering campaign** against **Node.js and npm maintainers** has widened, with multiple developers reporting the same lure pattern and the potenti...
UNC1069 open-source maintainer social-engineering campaign
CampaignAbout this happening: UNC1069's **coordinated social-engineering campaign** against **Node.js and npm maintainers** has widened, with multiple developers reporting the same lure pattern and the potenti...
Latest development: 06.04.2026 23:55
Security researcher Taylor Monahan and Socket reported that members of the open source software community, including Socket engineers and CEO Feross Aboukhadijeh, were targeted by the same slow-burn LinkedIn, Slack, and Microsoft Teams social engineering playbook used against Axios maintainer Jason Saayman, indicating the campaign was wider than a single Axios compromise.
WAVESHAPER.V2 trojanized Axios npm packages
Malware Activity
First: 03.04.2026 14:04
Last: 03.04.2026 14:04
Sources 1
About this happening:
The **WAVESHAPER.V2** implant was embedded in **trojanized Axios npm package releases**, creating downstream supply-chain risk for **npm users**. The malicious code was published...
WAVESHAPER.V2 trojanized Axios npm packages
Malware ActivityAbout this happening: The **WAVESHAPER.V2** implant was embedded in **trojanized Axios npm package releases**, creating downstream supply-chain risk for **npm users**. The malicious code was published...
Timeline
-
06.09.2025 17:11 1 articles · 8mo ago
Wiz quantifies Nx s1ngularity blast radius at 2,180 accounts and 7,200 repositories
Campaign Scope UpdateWiz's post-incident evaluation of the Nx "s1ngularity" supply chain attack found that compromise of the Nx NPM ecosystem exposed 2,180 accounts and 7,200 repositories across three phases, and that many leaked secrets remain valid so the effect is still unfolding.
Show sources
- AI-powered malware hit 2,180 GitHub accounts in “s1ngularity” attack — www.bleepingcomputer.com — 06.09.2025 17:11
-
28.08.2025 21:39 2 articles · 9mo ago
Initial report: More than 1 000 JavaScript developers hit by network compromise
Initial DisclosureAttackers abused **Nx** package publishing overnight on **Aug. 26, 2025**, infecting developer systems before the malicious uploads were taken down. The first-stage compromise distributed **telemetry.js** to victim environments and enabled secret theft from local machines and build workflows.
Show sources
- 1,000+ Devs Lose Their Secrets to an AI-Powered Stealer — www.darkreading.com — 28.08.2025 21:39
- 1,000+ Devs Lose Their Secrets to an AI-Powered Stealer — www.darkreading.com — 28.08.2025 21:39