Attackers stole an Nx NPM token and published malicious Nx package versions to npm that scan local file systems, collect credentials, and post them to GitHub as repositories under victims' accounts. A vulnerable workflow introduced on August 21 enabled executable code injection; the vulnerability was reverted to the master branch but an attacker targeted an outdated branch via a pull request to exploit the vulnerable workflow. Exploitation continued on August 24, and remediation efforts took place over two days. A subsequent wave used compromised GitHub tokens to make private repositories public and rename them to the pattern s1ngularity-repository-#5letters#.
At the center of the attack - which was named "s1ngularity" - was the introduction of a vulnerable workflow on August 21, according to the alert. The workflow enabled an attacker to inject executable code. They said the vulnerability was reverted to the master branch almost immediately after it was determined to be malicious, but the move wasn't enough. The bad actor was able to make a pull request that targeted an outdated branch that included the vulnerable workflow.
However, security researchers with cybersecurity firms Wiz and StepSecurity - pointing to alerts from security researchers Brian Kohan and Adnan Khan - wrote on August 28 about a second wave of attack from Nx leaked credentials. In an update to a blog, the Wiz researchers wrote that an attacker - whether the same or another one - "appears to be using the previously compromised GitHub tokens to turn private repositories public and rename them to the pattern s1ngularity-repository-#5letters#."
Collection
[
|
...
]