A supply chain attack compromised Nx build system packages published to the npm registry on August 26, 2025, with malicious versions containing post-installation scripts that harvest developer assets. The malware exfiltrated cryptocurrency wallets, GitHub and npm tokens, SSH keys, and environment variables from infected enterprise systems. The campaign weaponized AI by prompting installed AI CLI tools with dangerous flags to access filesystem contents and perform reconnaissance, achieving success in hundreds of instances despite occasional AI provider guardrail intervention. Separately, JFrog uncovered eight malicious npm packages, including obfuscated React-related packages employing over 70 layers of concealed code and targeting Chrome users on Windows.
The attack began on August 26, 2025, when threat actors published multiple malicious versions of Nx packages to the npm registry. These compromised packages contained post-installation scripts designed to systematically harvest sensitive developer assets, the report said. The malware targeted cryptocurrency wallets, GitHub and npm tokens, SSH keys, and environment variables from infected enterprise systems. "The malware leveraged installed AI CLI tools by prompting them with dangerous flags to steal filesystem contents, exploiting trusted tools for malicious reconnaissance," Wiz researchers said in their report.
The timing of the Nx compromise coincides with another significant npm supply chain discovery: JFrog announced it had separately uncovered eight malicious packages published on npm, including react-sxt, react-typex, and react-native-control, which contained "highly sophisticated multi-layer obfuscation, with over 70 layers of concealed code." "Open-source software repositories have become one of the main entry points for attackers as part of supply chain attacks, with growing waves using typosquatting and masquerading, pretending to be legitimate," said a blog post by JFrog security researcher Guy Korolevski.
Collection
[
|
...
]