Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Nx hit by network compromise

Incident
First reported
Last updated
Happening score
H score 21
1 unique sources, 1 articles

Summary

Hide ▲

The nx package ecosystem suffered a supply-chain compromise that let attackers publish rogue npm releases and expose developer systems and credentials. The malicious packages used a postinstall script to scan files, collect secrets, and upload them to attacker-controlled GitHub repositories, creating immediate risk for anyone who installed the tainted versions.

Related Happenings

Bitwarden hit by network compromise

Incident
First: 23.04.2026 22:21 Last: 23.04.2026 22:21 Sources 1

About this happening: **Bitwarden**'s **@bitwarden/cli** distribution channel was compromised when a malicious package briefly appeared on **npm**, putting developers who installed it at risk of **cred...

Open Happening

UNC1069 open-source maintainer social-engineering campaign

Campaign
First: 04.04.2026 23:30 Last: 04.04.2026 23:30 Sources 1

About this happening: UNC1069's **coordinated social-engineering campaign** against **Node.js and npm maintainers** has widened, with multiple developers reporting the same lure pattern and the potenti...

Latest development: 06.04.2026 23:55

Security researcher Taylor Monahan and Socket reported that members of the open source software community, including Socket engineers and CEO Feross Aboukhadijeh, were targeted by the same slow-burn LinkedIn, Slack, and Microsoft Teams social engineering playbook used against Axios maintainer Jason Saayman, indicating the campaign was wider than a single Axios compromise.

Open Happening

WAVESHAPER.V2 trojanized Axios npm packages

Malware Activity
First: 03.04.2026 14:04 Last: 03.04.2026 14:04 Sources 1

About this happening: The **WAVESHAPER.V2** implant was embedded in **trojanized Axios npm package releases**, creating downstream supply-chain risk for **npm users**. The malicious code was published...

Open Happening

Claude Code trojanized HTTP client delivery via npm

Malware Activity
First: 01.04.2026 09:12 Last: 01.04.2026 09:12 Sources 1

About this happening: The **npm** distribution path for **Claude Code** exposed some users to a **trojanized HTTP client**, creating a possible **cross-platform remote access trojan** delivery route. S...

Open Happening

Axios JavaScript NPM package hit by network compromise

Incident
First: 31.03.2026 23:55 Last: 31.03.2026 23:55 Sources 1

About this happening: **Axios** suffered a **supply-chain compromise** after malicious versions were published to **NPM**, creating a high-risk exposure for developers and downstream consumers. The mal...

Latest development: 13.04.2026 20:39

OpenAI is revoking and rotating potentially exposed macOS code-signing certificates after a GitHub Actions workflow executed compromised Axios version 1.14.1 during the March 31, 2026 supply chain attack. The certificate was used to sign OpenAI macOS apps including ChatGPT Desktop, Codex, Codex CLI, and Atlas, and macOS users must update to versions signed with the new certificate before the old certificate is fully revoked on May 8, 2026.

Open Happening

Timeline

  1. 28.08.2025 13:36 1 articles · 9mo ago

    Vulnerable pull_request_target workflow in nx enables executable code injection

    Technical Analysis Update

    nx maintainers traced the compromise to a workflow added on August 21, 2025 that allowed a specially crafted pull request title to inject executable code; the pull_request_target trigger ran with elevated GITHUB_TOKEN permissions, and the workflow was later reverted in master after it was found exploitable in a malicious context.

    Show sources
    Open in new tab
  2. 28.08.2025 13:36 1 articles · 9mo ago

    Attackers publish malicious nx packages to npm and steal credentials

    Exploitation Observed

    On August 26, 2025, malicious versions of nx and supporting plugin packages were published to npm after the compromised publishing path exposed the npm token; the rogue releases scanned the file system, collected credentials, posted them to GitHub repositories named s1ngularity-repository, and modified .zshrc and .bashrc to trigger sudo shutdown -h 0.

    Show sources
    Open in new tab
  3. 28.08.2025 13:36 2 articles · 9mo ago

    Compromised GitHub tokens expose nx users and thousands of repositories

    Campaign Scope Update

    By August 28, 2025, Wiz said a second attack wave had impacted over 190 users/organisations and more than 3000 repositories, with attackers using compromised GitHub tokens to turn private repositories public, rename them to the s1ngularity-repository-#5letters# pattern, and create forks to preserve the data.

    Show sources
    Open in new tab