Multiple malicious Nx package versions were uploaded to the NPM registry and contained malware engineered to harvest developer secrets, including GitHub and NPM tokens, SSH private keys, and cryptocurrency wallet information. Harvested credentials were posted as new public GitHub repositories under the corresponding user accounts. The exposed repos remained available for about eight hours before GitHub disabled them. Investigators believe a publishing token with rights to the compromised packages was abused; maintainers had two-factor authentication enabled, but 2FA was not required to publish. Nx has large reach among developers, increasing potential impact, and remediation is urged for anyone who installed compromised versions.
According to researchers at Wiz, those poisoned packages were laden with malware designed to siphon secrets from developers, such as GitHub and NPM tokens, SSH keys, and cryptocurrency wallet details. Nx's security advisory, posted to GitHub, which details the affected versions, states that successful credential harvesting then led to those credentials being posted to GitHub as new public-facing repos under the corresponding user accounts.
With a self-proclaimed 24 million NPM downloads per month, a successful supply chain attack on Nx, an open source codebase management platform, could in theory capture the details of myriad developers. "Given the popularity of the Nx ecosystem, and the novelty of AI tool abuse, this incident highlights the evolving sophistication of supply chain attacks," said Ashish Kurmi, co-founder of StepSecurity, in a blog post. "Immediate remediation is critical for anyone who installed the compromised versions."
Collection
[
|
...
]