NX Build Tool Hacked to Steal Wallets and Secrets

/ Daily Cyber News, Malware, Supply-Chain
add a heading (12)

A new supply-chain attack has compromised the widely used NX build tool, impacting more than 1,400 developers. Security researchers discovered that a malicious post-install script was added, which silently created a GitHub repository named s1ngularity-repository in affected users’ accounts.

Inside this repository, attackers stored a base64-encoded dump containing highly sensitive information, including wallet files, API keys, .npmrc credentials, and environment variables.

Key Takeaways

  1. The NX build tool was weaponized with malware that steals credentials and creates hidden GitHub repositories.
  2. Attackers specifically targeted Claude CLI and Gemini CLI for advanced data exfiltration.
  3. Developers must delete suspicious repositories, update NX immediately, and rotate all exposed secrets.

AI-Assisted Data Exfiltration

According to Semgrep, the attack leveraged the NX post-install hook through a file named telemetry.js. This script executed immediately after installation and began collecting environment variables.

The malware then searched for GitHub authentication tokens via the GitHub CLI. Once obtained, it created a public GitHub repository (such as s1ngularity-repository-0) and committed the stolen data inside a file called results.b64.

What makes this campaign unique is the use of AI-powered CLIs like Claude and Gemini. If detected, the malware issued crafted prompts to perform filesystem scans through the LLM, making the attack harder to detect with traditional signature-based tools.

unnamed (4)

Affected Versions of NX

The following packages and versions are confirmed to be affected:

  • @nx/devkit 21.5.0, 20.9.0
  • @nx/enterprise-cloud 3.2.0
  • @nx/eslint 21.5.0
  • @nx/key 3.2.0
  • @nx/node 21.5.0, 20.9.0
  • @nx/workspace 21.5.0, 20.9.0
  • @nx 20.9.0–20.12.0, 21.5.0–21.8.0
npm ls nx

Mitigation Steps for Developers

If you are using any of the impacted NX versions, you should:

  • Search for unauthorized repositories in your GitHub account.
  • Delete any repository with the name s1ngularity-repository*.
  • Update NX to safe version 21.4.1 (the malicious versions have been removed from npm).
  • Rotate all potentially exposed secrets, including GitHub tokens, npm credentials, SSH keys, and environment variables.
  • Inspect and clean any malicious shutdown directives in shell startup files (for example .bashrc).
  • Enforce strict post-install auditing to catch future supply-chain threats.

Related Posts