Over 1,400 builders found at present {that a} malicious post-install script within the fashionable NX construct equipment silently created a repository named s1ngularity-repository of their GitHub accounts.
This repository incorporates a base64-encoded dump of delicate information pockets information, API keys, .npmrc credentials, setting variables, and extra harvested immediately from builders’ file programs.
Key Takeaways1. Malware within the NX construct device steals credentials and creates GitHub repos.2. Targets Claude and Gemini CLIs for superior information exfiltration.3. Delete suspicious repos, replace NX, and rotate secrets and techniques urgently.
AI-Assisted Knowledge Exfiltration
Semgrep stories that attackers leveraged the NX post-install hook through a file named telemetry.js to execute malicious code instantly after package deal set up.
The malware first collects setting variables and makes an attempt to find a GitHub authentication token through the GitHub CLI. Armed with credentials, it then creates a public repository comparable to s1ngularity-repository-0 and commits the stolen information in outcomes.b64.
What makes this marketing campaign notably novel is its integration with Claude Code CLI or Gemini CLI. If both AI-powered CLI is current, the malware points a rigorously crafted immediate to conduct fingerprintable filesystem scans:
This AI-driven method offloads the majority of signature-based filesystem enumeration to the LLM, complicating conventional malware detection.
Affected NX Variations and Mitigations
@nx/devkit 21.5.0, 20.9.0
@nx/enterprise-cloud 3.2.0
@nx/eslint 21.5.0
@nx/key 3.2.0
@nx/node 21.5.0, 20.9.0
@nx/workspace 21.5.0, 20.9.0
@nx 20.9.0–20.12.0, 21.5.0–21.8.0
Builders utilizing any impacted variations ought to instantly run:
or examine lockfiles for susceptible dependencies.
Seek for unauthorized repositories.
Delete any s1ngularity-repository* you discover.
Replace NX to protected model 21.4.1 (susceptible variations faraway from npm).
Rotate all uncovered secrets and techniques: GitHub tokens, npm credentials, SSH keys, setting variables.
Take away malicious shutdown directives in shell startup information (e.g., .bashrc).
Because the incident unfolds, organizations are urged to observe repository creations and implement strict post-installation auditing.
Discover this Story Attention-grabbing! Observe us on LinkedIn and X to Get Extra On the spot Updates.
