On August 26, 2025, multiple malicious versions of the widely used Nx build system package were published to the npm registry. These versions contained a post-installation malware script designed to harvest sensitive developer assets, including cryptocurrency wallets, GitHub and npm tokens, SSH keys, and more. The malware leveraged AI command-line tools (including Claude, Gemini, and Q) to aid in their reconnaissance efforts, and then exfiltrated the stolen data to publicly accessible attacker-created repositories within victims’ GitHub accounts.
On August 27, 2025 9AM UTC Github disabled all attacker created repositories to prevent this data from being exposed, but the exposure window (which lasted around 8 hours) was sufficient for these repositories to have been downloaded by the original attacker and other malicious actors.
August 27, 2025 2PM UTC update: Github's actions seem to have been singular and therefore new repositories continue to surface, making ongoing monitoring essential. Although the compromised packages have been removed from npm, they may still be executed locally on systems where they were previously installed.
What happened?
The compromise introduced a malicious telemetry.js file triggered via a post-install script in the npm package. The payload executed only on Linux and macOS systems, systematically searching for sensitive files (wallets, keystores, .env, SSH keys) and extracting credentials (gh auth token, npmrc content). The malware attempted lockout by appending sudo shutdown -h 0 to ~/.bashrc and ~/.zshrc, effectively causing system shutdowns on new terminal sessions. These findings were also reported by Step Security.
Notably, the campaign weaponized installed AI CLI tools by prompting them with dangerous flags (--dangerously-skip-permissions, --yolo, --trust-all-tools) to steal filesystem contents, exploiting trusted tools for malicious reconnaissance. We have observed this AI-powered activity succeed in hundreds of cases, although AI provider guardrails at times interceded.
Exfiltrated data was double and triple-base64 encoded and uploaded to attacker-controlled victim GitHub repositories named s1ngularity-repository, s1ngularity-repository-0, or s1ngularity-repository-1, thousands of which were observed publicly.
Among the varied leaked data here, we’ve observed over a thousand valid Github tokens, dozens of valid cloud credentials and NPM tokens, and roughly twenty thousand files leaked. In many cases, the malware appears to have run on developer machines, often via the NX VSCode extension. We’ve also observed cases where the malware ran in build pipelines, such as Github Actions.
On August 27, 2025 9AM UTC Github disabled all attacker created repositories to prevent this data from being exposed, but the exposure window (which lasted around 8 hours) was sufficient for these repositories to have been downloaded by the original attacker and other malicious actors. Furthermore, base64-encoding is trivially decodable, meaning that this data should be treated as effectively public.
Which products are affected?
Nx build system npm package (
@nrwl/nx,nx) in the following versions:20.9.0,20.10.0,20.11.0,20.12.0,21.5.0,21.6.0,21.7.0,21.8.0@nx/devkit in versions:
21.5.0,20.9.0@nx/enterprise-cloud version
3.2.0@nx/eslint version
21.5.0@nx/js in versions:
21.5.0, 20.9.0@nx/key version
3.2.0@nx/node in versions
21.5.0,20.9.0@nx/workspace in versions
21.5.0,20.9.0
Artifacts
File Artifacts (not unique to this attack):
~/.bashrc,~/.zshrcmodified withsudo shutdown -h 0/tmp/inventory.txt(sensitive file paths)/tmp/inventory.txt.bak
Network/Account Artifacts:
Outbound API calls to api.github.com (
/user/repos,/repos/*/contents/results.b64)Public GitHub repositories named
s1ngularity-repository,s1ngularity-repository-0, ors1ngularity-repository-1File results.b64 containing base64-encoded data
Which actions should security teams take?
Immediate Remediation
Remove malicious Nx versions (
rm -rf node_modules && npm cache clean --force).Upgrade to a clean release (Nx have removed the malicious versions, so any current version sourced from NPM can be considered safe).
Manually review and remove malicious shell entries from
~/.bashrcand~/.zshrc.Delete
/tmp/inventory.txtand.bakif present.
Audit & Detection
Check for any evidence of GitHub repos created within your organization and user accounts named
s1ngularity-repository,s1ngularity-repository-0, ors1ngularity-repository-1(note that since GitHub have disabled these repositories, they won’t show up in search).Review GitHub audit logs for anomalous API usage.
Monitor developer endpoints and CI/CD pipelines for suspicious API calls and unexpected child processes.
Credential Rotation
Revoke and regenerate all GitHub tokens, npm tokens, SSH keys, API keys, and environment variable secrets that may have been leaked in these repositories.
Transfer cryptocurrency funds to new wallets immediately if exposed (as wallets themselves cannot be rotated).
How can Wiz help?
While Wiz Threat Research are still reviewing impact, Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to assess the risk in their environment.
Wiz customers can use the SBOM page to identify malicious versions of the `nx` package in their environment.
Wiz Threat Research added YARA-based detection to identify instances of the malicious script in customer environments, which should be treated as evidence of potential compromise of the host.
