Updated August 29th, 2PM UTC with details on the second phase of the attack
On August 26, 2025, multiple malicious versions of the widely used Nx build system package were published to the npm registry. These versions contained a post-installation malware script designed to harvest sensitive developer assets, including cryptocurrency wallets, GitHub and npm tokens, SSH keys, and more.
In the first phase of the attack, the malware leveraged AI command-line tools (including Claude, Gemini, and Q) to aid in their reconnaissance efforts, and then exfiltrated the stolen data to publicly accessible attacker-created repositories within victims’ GitHub accounts.
On August 27, 2025 9AM UTC Github disabled all attacker created repositories to prevent this data from being exposed, but the exposure window (which lasted around 8 hours) was sufficient for these repositories to have been downloaded by the original attacker and other malicious actors.
In a second phase, an attacker used the leaked GitHub tokens from phase one to make victim’s private repositories public. These changes appeared to be driven by a single threaded automation, running between (roughly) August 28 4PM and August 29 2AM UTC. Over 400 users/organizations were impacted in that window, with a total of over 5500 private repositories published publicly.
What happened?
The initial compromise introduced a malicious telemetry.js file triggered via a post-install script in the npm package. The payload executed only on Linux and macOS systems, systematically searching for sensitive files (wallets, keystores, .env, SSH keys) and extracting credentials (gh auth token, npmrc content). The malware attempted lockout by appending sudo shutdown -h 0 to ~/.bashrc and ~/.zshrc, effectively causing system shutdowns on new terminal sessions. These findings were also reported by Step Security.
August 28, 2025 9AM UTC update: The root cause was identified - the issue stemmed from a flawed GitHub Actions workflow that allowed code injection through unsanitized pull request titles combined with the use of the pull_request_target trigger. Although the workflow was quickly removed from the master branch, it remained present in older branches and could still be exploited. The injection flaw enabled arbitrary command execution if a malicious PR title was submitted, while the pull_request_target trigger granted elevated permissions by providing a GITHUB_TOKEN with read/write access to the repository.
Notably, the campaign weaponized installed AI CLI tools by prompting them with dangerous flags (--dangerously-skip-permissions, --yolo, --trust-all-tools) to steal filesystem contents, exploiting trusted tools for malicious reconnaissance. We have observed this AI-powered activity succeed in hundreds of cases, although AI provider guardrails at times interceded.
Exfiltrated data was double and triple-base64 encoded and uploaded to attacker-controlled victim GitHub repositories named s1ngularity-repository, s1ngularity-repository-0, or s1ngularity-repository-1, thousands of which were observed publicly.
Among the varied leaked data here, we’ve observed over a thousand valid Github tokens, dozens of valid cloud credentials and NPM tokens, and roughly twenty thousand additional files leaked. In many cases, the malware appears to have run on developer machines, often via the NX VSCode extension. We’ve also observed cases where the malware ran in build pipelines, such as Github Actions.
On August 27, 2025 9AM UTC Github disabled all attacker created repositories to prevent this data from being exposed, but the exposure window (which lasted around 8 hours) was sufficient for these repositories to have been downloaded by the original attacker and other malicious actors. Furthermore, base64-encoding is trivially decodable, meaning that this data should be treated as effectively public. A few repositories surfaced after Github’s action, making ongoing monitoring essential. Although the compromised packages have been removed from npm, they may still be executed locally on systems where they were previously installed.
August 28, 2025, 6PM UTC update: Wiz Threat Research and Adnan Khan identified a second wave: an attacker appears to be using the previously compromised GitHub tokens to turn private repositories public and rename them to the pattern s1ngularity-repository-#5letters#. We observed over 190 users/organisations that were impacted, and over 3000 repositories.
August 29, 2025, 2PM UTC update: This phase appears suspended, with over 400 users/organizations impacted, and over 5500 repositories.
Which products are affected?
Nx build system npm package (
@nrwl/nx,nx) in the following versions:20.9.0,20.10.0,20.11.0,20.12.0,21.5.0,21.6.0,21.7.0,21.8.0@nx/devkit in versions:
21.5.0,20.9.0@nx/enterprise-cloud version
3.2.0@nx/eslint version
21.5.0@nx/js in versions:
21.5.0, 20.9.0@nx/key version
3.2.0@nx/node in versions
21.5.0,20.9.0@nx/workspace in versions
21.5.0,20.9.0
Artifacts
File Artifacts (not unique to this attack):
~/.bashrc,~/.zshrcmodified withsudo shutdown -h 0/tmp/inventory.txt(sensitive file paths)/tmp/inventory.txt.bak2379ac0e03b1a67c4ca5693136eff4945e644a91(telemetry.jsvariant SHA1)e5d1f3c45ee7cca6ae59cf64e0573050bbe136ec(telemetry.jsvariant SHA1)b4f20b39aa6df1002872f07973024d85aa49abaf(telemetry.jsvariant SHA1)d2438106211ebd12c4f0a248848bc9864c97a3c0(telemetry.jsvariant SHA1)
Network/Account Artifacts:
Outbound API calls to api.github.com (
/user/repos,/repos/*/contents/results.b64)Public GitHub repositories named
s1ngularity-repository,s1ngularity-repository-0, ors1ngularity-repository-1File results.b64 containing base64-encoded data
Which actions should security teams take?
Immediate Remediation
Remove malicious Nx versions (
rm -rf node_modules && npm cache clean --force).Upgrade to a clean release (Nx have removed the malicious versions, so any current version sourced from NPM can be considered safe).
Manually review and remove malicious shell entries from
~/.bashrcand~/.zshrc.Delete
/tmp/inventory.txtand.bakif present.
Audit & Detection
Check for any evidence of GitHub repos created within your organization and user accounts named
s1ngularity-repository,s1ngularity-repository-0, ors1ngularity-repository-1(note that since GitHub have disabled these repositories, they won’t show up in search).Review GitHub audit logs for anomalous API usage.
Monitor developer endpoints and CI/CD pipelines for suspicious API calls and unexpected child processes.
Credential Rotation
Revoke and regenerate all GitHub tokens, npm tokens, SSH keys, API keys, and environment variable secrets that may have been leaked in these repositories.
Transfer cryptocurrency funds to new wallets immediately if exposed (as wallets themselves cannot be rotated).
How can Wiz help?
While Wiz Threat Research are still reviewing impact, Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to assess the risk in their environment.
Wiz customers can use the SBOM page to identify malicious versions of the `nx` package in their environment.
Wiz Threat Research added YARA-based detection to identify instances of the malicious script in customer environments, which should be treated as evidence of potential compromise of the host.
