The Nx package was compromised with malware that weaponized AI tools to steal developer secrets. Thousands may have been exposed in just five hours.
On August 26, 2025, the Nx build system, downloaded millions of times per week, was hijacked by attackers who injected data-stealing malware into multiple versions published to npm. The compromise lasted roughly five hours before being detected and removed, but in that window, developers across the world unknowingly installed code designed to harvest their most sensitive credentials.
What made this attack particularly alarming was not just what it stole, but how it stole it: the malware weaponized AI assistant command-line tools like Claude, Gemini, and others to conduct reconnaissance and exfiltration, marking what security researchers believe is the first documented case of malware coercing AI tools into becoming accomplices in a supply chain attack.
The malicious post-install script, hidden in a file called telemetry.js, executed automatically when developers installed the compromised package. It systematically harvested cryptocurrency wallets, GitHub tokens, npm registry credentials, SSH keys, and environment variables. But the attackers went further, using AI CLI tools with flags like "dangerously-skip-permissions" and "yolo" to recursively scan the filesystem for wallet-related files and secrets, writing discovered paths to a temporary inventory file.
Once the data was collected, the malware created public GitHub repositories using stolen tokens, triple-encoded the stolen credentials in base64, and uploaded them for anyone to find. Thousands of these repositories now exist on GitHub, each containing exfiltrated secrets in plain sight.
The community response has been one of alarm mixed with pragmatic concern. Commenters have emphasized that this incident underscores a fundamental principle often overlooked in the rush to ship code: developers should never run untrusted code on their machines, and even trusted sources warrant caution. Said another way, this should be a lesson to anyone who wants to learn AI.
The broader conversation has centered on the risks of relying on third-party repositories and the difficulty of verifying software origins in an ecosystem where convenience often trumps security. Some observers noted that while the five-hour window was relatively brief, the damage was compounded by a second wave of attacks in which compromised credentials were used to make private organization repositories public and fork them into attacker-controlled accounts, affecting thousands of organizations.
Security experts point out that this attack represents an evolution in supply chain threats. Rather than simply stealing data, the attackers demonstrated sophisticated understanding of developer workflows and the tools developers trust. The abuse of AI assistants is particularly concerning because these tools are designed to be permissive and helpful, making them vulnerable to manipulation through carefully crafted prompts.
The incident also revealed a critical vulnerability in npm’s security model: a workflow-injection that leaked an npm publishing token, allowing multiple malicious versions to be pushed in quick succession before detection. In response, npm is rolling out ecosystem-wide changes: revoking legacy “classic” tokens and blocking their creation, shortening lifetimes for newly created write-enabled granular tokens to a 7-day default with a 90-day maximum, discontinuing new TOTP 2FA setups in favor of phishing-resistant WebAuthn/passkeys (while existing TOTP continues for now), and encouraging CI/CD to adopt Trusted Publishing (OIDC) instead of long-lived tokens.
The takeaway: For developers, the lesson is twofold: verify the integrity of your dependencies and audit your own credentials immediately if you installed Nx between August 26 and 27. And brush up on your cybersecurity skills. For the broader software community, the s1ngularity attack serves as a stark reminder that supply chain security is not a one-time fix but an ongoing arms race. As attackers grow more creative in weaponizing legitimate tools, the responsibility falls on both platforms and developers to remain vigilant about what code runs on their machines and what permissions it requests.
