Nx Build Platform Compromised: Malicious Packages Trigger Massive Secrets Leak

In a sophisticated supply chain attack targeting the JavaScript ecosystem, malicious actors compromised the widely-used Nx build platform, injecting data-stealing malware into official packages. The incident, occurring between August 26-27, exploited stolen maintainer credentials to publish trojanized versions of @nx and related plugins—tools downloaded over 5 million times weekly according to npm metrics.

Attack Timeline: A Narrow Window with Lasting Damage

The compromise unfolded with alarming precision:
- 22:32 UTC, Aug 26: Attackers used a stolen npm token to publish first malicious package
- 00:37 UTC, Aug 27: npm removed all 19 compromised versions after 2-hour publishing spree
- 01:37 UTC: Nx maintainers revoked the stolen token
- 09:05 UTC: GitHub made 9,000+ leak repositories private—but data remained exposed for over 9 hours

Affected versions include critical packages like @nx (v20.9.0-21.8.0), @nx/devkit, @nx/workspace, and others. During the exposure window, attackers harvested:

- GitHub personal access tokens
- npm publish credentials
- SSH private keys (id_rsa)
- Cryptocurrency wallets (MetaMask, Ledger, Exodus, etc.)
- .env files with API keys
- LLM CLI keys (Anthropic Claude, Google Gemini, Amazon Q)

Infection Vector: The Ghost in the Workflow

The breach originated from a vulnerable GitHub Actions workflow (publish.yml) that temporarily allowed arbitrary code execution between August 21-24. Attackers exploited this to extract an npm token with publishing rights. Though the workflow vulnerability was patched on August 24, the compromised token remained active until the attack.

Malware Mechanics: Aggressive Exfiltration and Sabotage

The malicious telemetry.js post-install script targeted macOS/Linux systems, employing several aggressive techniques:

1. Secrets Hunting: Used regex patterns and LLM CLI tools to scan for:

   "*key, *keystore.json, UTC– files, .env contents, and specific crypto wallet directories"

2. Obfuscated Exfiltration: Base64-encoded stolen data multiple times before uploading to GitHub via victims' own tokens

3. Repositories Sprawl: Created public repos named s1ngularity-repository* containing results.b64 files

4. Defensive Sabotage: Added sudo shutdown to .bashrc/.zshrc to cripple terminals and delay detection

Mitigation Protocol: Critical Response Steps

Affected teams must immediately:

# Audit installations
npm ls nx 

# Purge compromised artifacts
rm -rf node_modules
npm cache clean --force
rm /tmp/inventory.txt*

# Rotate ALL credentials:
- GitHub PATs
- npm tokens
- SSH keys
- API keys
- Crypto wallets

# Inspect shell configs:
sed -i '/sudo shutdown/d' ~/.bashrc ~/.zshrc

Scrutinize GitHub for unauthorized s1ngularity-repository* repos and monitor for suspicious commits. Even after cleanup, assume stolen credentials remain active threats requiring ongoing vigilance.

The Silent Time Bomb in Build Systems

This incident exposes three critical vulnerabilities in modern toolchains:
1. Transitive Trust Failure: A single compromised maintainer token bypassed all code review safeguards
2. Secrets Sprawl: Development environments contain catastrophic concentrations of unprotected credentials
3. Response Lag: The 9-hour public data exposure creates indefinite supply chain risks

As build systems become increasingly central to software production, this attack underscores the urgent need for mandatory publish approvals, hardened CI/CD pipelines, and automated secrets rotation. The industry's reliance on transitive trust now demands zero-trust verification at every workflow junction.

Source: Kaspersky