Apiiro Blog ﹥ Nx Supply Chain Breach Shows Why…
Educational, Research

Nx Supply Chain Breach Shows Why Malicious Package Detection Matters

Nadav Shakarzy
Product Manager
Published September 5 2025 · 3 min. read

On August 26, 2025, threat actors launched a sophisticated supply chain attack on the widely used Nx build system, publishing multiple malicious versions of the nx and @nx/* npm packages. These versions contained data-stealing malware that, once installed, executed post‑install scripts to exfiltrate sensitive developer data—such as SSH keys, API tokens, npm credentials, GitHub tokens, and cryptocurrency wallet information.

What Happened

The attack, labeled “s1ngularity,” exploited a compromised GitHub Actions workflow to obtain publishing access to Nx packages. Attackers published 8 malicious versions between 6:32 PM – 8:37 PM EDT (October 26, 2025), which were removed by 10:44 PM, and all publishing tokens were revoked by 11:57 PM EDT.

The payload included a post-install script running a malicious telemetry.js, designed to scan Linux and macOS systems for sensitive files and credentials. The exfiltration pipeline encoded stolen data and uploaded it to newly created public GitHub repositories named s1ngularity-repository or variations thereof. 

Researchers estimate that 2,349 distinct secrets were leaked, including GitHub tokens, cloud credentials, and AI service keys. At least 90% of the leaked GitHub tokens remained valid after the incident. Notably, this attack marked the first known instance of leveraging developer-facing AI CLI tools—such as Claude Code, Gemini CLI, and Amazon’s q—to assist in reconnaissance and exfiltration by passing dangerous flags like –yolo, –trust-all-tools.

Are You Affected?

To determine whether your systems were compromised, you can perform the following checks:

  • Search your GitHub account(s) for repositories named s1ngularity-repository or s1ngularity-repository-<n>. If found, back up any results.b64 files and immediately delete the repositories.
  • Run: npm ls nx @nx/devkit @nx/enterprise-cloud @nx/eslint @nx/js @nx/key @nx/node @nx/workspace to check for installations of the compromised versions.
  • Inspect your package-lock.json files for any of the affected versions.

How Apiiro Helps You Respond

  1. Identify Affected Dependencies Fast

Using Apiiro’s comprehensive inventory and Software Graph, security teams can query across repositories to pinpoint whether any compromised Nx versions were introduced—reducing investigation time from hours to minutes.

  1. Detect Malicious Code Early

Apiiro prevents issues before execution:

  • Malicious Code Ruleset catches suspicious payloads during CI/CD.
  • PRevent blocks malicious commits via GitHub app, stopping threats from entering repos.
  1. Strengthen Dependency Risk Management with Software Composition Analysis (SCA)

In Apiiro’s platform:

  1. Go to Solutions > SCA > Risks
  2. Search for packages such as @nx/devkit, @nx/js, @nx/node, and @nx/workspace
  3. Review, prioritize, and remediate vulnerable entries.

These defenses help organizations catch threats early and prevent widespread exposure. You can explore these tools and more in the Apiiro GitHub repository.

The screenshot below demonstrates how our ruleset effectively identifies and blocks malicious payloads, safeguarding package consumers.

Turning AI Into Defense

The Nx breach showed how attackers are beginning to exploit AI-powered developer tools to scale their attacks. To counter this shift, Apiiro’s AI AppSec Agent gives defenders the same autonomy. The agent uses code-to-runtime context to generate and apply precise AutoFixes inside developer workflows, moving teams from alerts to instant action. 

Built on Apiiro’s Deep Code Analysis and Software Graph, the AppSec Agent ensures decisions are always rooted in full business and runtime context, so fixes are fast and prevent downstream problems.

Why This Matters

The s1ngularity attack underscores how attackers are evolving, weaponizing trusted developer tooling and AI assistants to infiltrate organizations at scale. Traditional vulnerability scanning isn’t enough. You need proactive, supply-chain-aware defenses.

How to Remediate

If you’ve been impacted, execute the following steps:

  1. Uninstall compromised packages immediately.
  2. Update to clean versions as designated by the official Nx or GitHub advisories.
  3. Rotate secrets (SSH keys, API tokens, npm credentials, wallet keys).
  4. Audit your environment—review logs, CI/CD pipelines, and developer machines for anomalies.
  5. Enforce stronger supply chain hygiene—use stricter package integrity checks, immutable lockfiles, and integrate proactive malicious-package detection tools (like Apiiro).

The Bottom Line

The Nx breach is a potent reminder: the software supply chain is increasingly under threat. Attackers now weaponize trusted development tools and AI agents to bypass traditional defenses.

With Apiiro, organizations gain:

  • Unified visibility into dependencies and supply chain risks.
  • Automated, context-rich detection of malicious packages.
  • Guided, rapid remediation powered by the Risk Graph.

Apiiro makes it possible to consolidate threat detection and response into a single pane of glass—helping teams react faster and minimize the impact of emerging supply chain threats.

Keep your organization ahead of supply chain threats. Contact Apiiro to learn how our platform can help detect and neutralize malicious packages like those found in the Nx incident.