SecurityCritical

Nx 's1ngularity' Supply-Chain Attack Weaponizes Local AI CLI Tools to Harvest Developer Secrets

Nx (Nrwl) / npm ecosystem

What Happened

Attackers exploited a vulnerable GitHub Actions workflow to publish malicious Nx package versions to npm. The payload did something new: it invoked locally installed AI coding CLIs, Claude Code, Gemini CLI, and Amazon Q, with guardrail-bypassing flags to recursively scan the filesystem and inventory sensitive files, then exfiltrated the loot to attacker-created public GitHub repositories. It is cited as the first known case of malware turning developer AI assistants into reconnaissance and exfiltration agents.

Impact

Researchers estimated roughly 2,300 secrets leaked, including over 1,000 valid GitHub tokens plus npm tokens, SSH keys, cloud credentials, and crypto wallet data. Nx packages see about 24 million monthly downloads and are used by a large share of Fortune 500 companies, making the potential blast radius significant.

How to Prevent This

  • Harden CI workflows: avoid pull_request_target with untrusted input and sanitize PR-derived values
  • Scope and short-live npm publish tokens, storing them outside injectable workflow contexts
  • Prevent locally installed AI CLIs from running with guardrail-bypassing auto-approve flags
  • Restrict developer-machine egress and monitor for bulk filesystem scans and secret access
  • Continuously scan repos and pipelines for leaked credentials and revoke on exposure

Don't Let Your Company Be the Next Case Study

Take our 2-minute quiz to identify your AI risks before they become failures.

Assess Your AI Risks Now →

Most teams can't — find out in 2 minutes

Real AI failures analyzed • Free 2-minute assessment