Since this week, cyber attackers have been attempting to steal sensitive data from developers via malicious versions of Nx. Legitimate-looking variants of the Nx build system were publicly available via the npm registry. Although GitHub has already taken action, Wiz points out that compromises are still occurring.
Nx is mainly used by JavaScript and TypeScript developers to manage software projects. These often involve complex codebases, with Nx maintaining an overview and ensuring that different components continue to work well together. Downloading a malicious version of the tool can invite enormous security threats due to the deep integration with sensitive data.
The malicious Nx versions appeared online last Tuesday. They contained a script that, once installed, hunted for said sensitive data from developers. Wiz Threat Research notes that cryptocurrencies, tokens for GitHub and npm, and SSH keys are among the intended loot. The attack campaign is known as ‘s1ngularity’, a name that can be found in compromised repositories that have been renamed.
AI comes to the attackers’ aid
It is striking that command-line assistants such as Claude, Gemini, and Amazon Q helped the attackers in their search. What followed was an 8-hour period during which affected users could lose their data; after that, GitHub stopped the exfiltration attempts. On Wednesday, August 27, Wiz discovered that this attempt was insufficient: new repositories were added again.
Yesterday, it turned out that the root cause was an error within a GitHub Actions workflow. This allowed code injection via pull request titles that were not checked. New branches have a fix, but old variants remain in use. On the same day, Wiz and security researcher Adnan Khan discovered that a new wave was taking place, making private repositories public. According to Wiz, 3,000 repositories from more than 190 users/organizations have been affected.
Compromise
A malicious telemetry.js file, only working on Linux and macOS, carried out the attackers’ work remotely. This process was discovered by Step Security. Command-line assistants often helped with data exfiltration, even though the AI guardrails sometimes worked.
The cleanup list for organizations is clear. Malicious Nx variants must be removed and replaced with a new, secure version. Malicious shell entries must also be eliminated, while the presence of /tmp/inventory.txt and .bak is undesirable.
In addition, Wiz recommends the usual steps to prevent or mitigate such compromises: checking audit logs for malicious API usage, regenerating relevant tokens and keys, and securing any cryptocurrency.
Read also: GitHub Actions targeted again in supply chain attack