Get discounts worth $1000 on our cybersecurity services

Grab the deal!
Schedule a call

Nx “s1ngularity” Supply Chain Attack: What You Need to Know and How to Protect Your Organization

Claim My Free Cybersecurity Test
Nx “s1ngularity” Supply Chain Attacks- What You Need to Know and How to Protect Your Organization
Get Started Now!

Table of Contents

Executive Summary

As of August 26, 2025, threat actors uploaded malicious versions of the Nx build system packages to the npm registry. The malware hidden within these packages was engineered to steal developer secrets, such as GitHub tokens, npm tokens, SSH keys, environment files, and even cryptocurrency wallets.

The most worrying aspect of this incident is that it integrated AI command-line tools (Claude, Gemini, and Q) to advance reconnaissance and exfiltration. This is the first known incident where developers’ AI tools were maliciously used to escalate a supply chain attack.

Within hours, thousands of GitHub repositories were created inside victim accounts named s1ngularity-repository, publicly leaking stolen data. Although GitHub disabled many of these repos, the exposure window was enough for attackers to harvest credentials at scale.

This attack serves as a stark reminder for businesses that depend on open-source packages within their software development pipelines.

What Happened?

  • Attackers compromised an npm publishing token belonging to an Nx maintainer.
  • Eight malicious versions of Nx and multiple plugins were released:
    • nx: 20.9.0 → 20.12.0, 21.5.0 → 21.8.0
    • @nx/devkit, @nx/js, @nx/node, @nx/workspace, @nx/eslint, @nx/key, @nx/enterprise-cloud
  • A malicious telemetry.js file executed on install, performing:
    • File system scanning for .env, SSH keys, keystores, wallets
    • Token harvesting (gh auth token, npmrc, API keys)
    • Persistence/DoS: appending sudo shutdown -h 0 to ~/.bashrc and ~/.zshrc
    • AI exploitation: using local AI CLIs with dangerous flags (--dangerously-skip-permissions, --trust-all-tools) to expand reconnaissance
    • Exfiltration: creating GitHub repos named s1ngularity-repository and uploading triple-base64 encoded results.b64 files with stolen secrets

Impact window: ~5 hours of active distribution + ~8 hours of public repo exposure.

Why This Attack Matters

  1. AI Abuse in Malware
    Attackers turned trusted AI CLIs into unwitting accomplices, bypassing guardrails and expanding attack surface.
  2. Developer Assets as Targets
    Stolen SSH keys, GitHub tokens, and .env files provide direct entry points into CI/CD pipelines and cloud infrastructure.
  3. Supply Chain Blast Radius
    With Nx downloaded 4M+ times/week, the potential reach of this compromise is enormous.

What Organizations Should Do Immediately

1. Bluefire Redteam Scanner

To help developers and security teams quickly detect exposure, Bluefire Redteam has released a free, open-source scanner on npm.

Run it instantly with:

npx @bluefire-redteam/nx-s1ngularity-check

⚠️ Important: Always use the scoped package @bluefire-redteam/nx-s1ngularity-check.
Do not use any unscoped package — it is unrelated and may confuse users.

What it detects

  • Malicious Nx versions in lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml)
  • Node modules payloads containing telemetry.js
  • Host IoCs (sudo shutdown -h 0 in .bashrc/.zshrc, /tmp/inventory.txt*)
  • Exfil files (results.b64) with automatic triple base64 decoding
  • GitHub repos created by the malware (s1ngularity-repository*) using your token

References

Integrate it into your local dev environment or CI/CD pipelines to prevent silent exposure.

2. If you are affected, then:

1. Remove Malicious Versions

rm -rf node_modules
npm cache clean --force
npm install nx@latest

2. Rotate All Credentials

  • GitHub: Revoke PATs and OAuth apps, enforce 2FA
  • npm: Revoke tokens
  • SSH keys: Generate new pairs
  • Cloud/API keys: Rotate environment secrets
  • Crypto wallets: Move funds to new wallets

3. Monitor Logs & Pipelines

  • Review GitHub audit logs for unexpected repo.create events
  • Monitor CI/CD for anomalous API calls during npm install
  • Use runtime monitoring (e.g., StepSecurity Harden-Runner, Wiz Threat Center)

Broader Implications

This compromise represents a new frontier in supply chain threats:

  • AI Weaponization: Expect more attackers to hijack LLM-powered tools.
  • Pipeline Risk: CI/CD is no longer safe from package-based malware.
  • Trust Erosion in OSS: Token compromise of a maintainer account can impact millions.

Organizations must move toward Zero Trust for developer environments — assume that even trusted dependencies can be hostile.

How Bluefire Redteam Can Help Further

At Bluefire Redteam, we specialize in supply chain security and real-world adversary simulation. Our teams can help you:

  • Run SBOM-based audits to detect malicious dependencies across repos.
  • Deploy runtime detection for CI/CD pipelines.
  • Conduct secret exposure reviews and credential hygiene workshops.
  • Perform Purple Teaming exercises simulating real-world supply chain compromises.

Conclusion

The Nx “s1ngularity” incident shows us that supply chain attacks are evolving — and now include AI-assisted malware. Developers and organizations must act quickly to detect, contain, and recover from such compromises.

You can lessen your chances of becoming the next victim by hardening your pipelines now and learning from this attack.

References

Get started Instantly!

Detect Vulnerabilities and Remediate in Real-Time.

Get Started

Subscribe to our newsletter now and reveal a free cybersecurity assessment that will level up your security.

  • Instant access.
  • Limited-time offer.
  • 100% free.

🎉 You’ve Unlocked Your Cybersecurity Reward

Your exclusive reward includes premium resources and a $1,000 service credit—reserved just for you. We’ve sent you an email with all the details.

What’s Inside

The 2025 Cybersecurity Readiness Toolkit
(A step-by-step guide and checklist to strengthen your defenses.)

$1,000 Service Credit Voucher
(Available for qualified businesses only)

Get started in no time!