A threat actor released malicious updates on the npm package repository for components of a tool popular among developers intending to steal cryptocurrencies and key developer data.
According to a report by StepSecurity, the attack started in the morning of August 26, when version 21.5.0 of Nx was released to the npm registry.
Nx is an open-source build platform widely used by developers to automate and streamline code testing, building and deployment workflows.
Version 21.5.0 of Nx was compromised with data-stealing malware. Seven other versions of Nx that were released over the next hours and the next day were also infected.
AI-Assisted Attack: Nx Infections Leak Secrets via Victim-Owned Repos
The compromised Nx versions included a malicious script designed to exploit local AI command-line interface (CLI) tools, which used large language models, such as Anthropic’s Claude, Google’s Gemini and the Amazon Q coding assistant, by injecting a crafted prompt that forced these agents to scan the infected system for sensitive files.
The targets included GitHub and npm tokens, SSH keys, environment variable secrets (like .env files) and cryptocurrency wallet data.
Once collected, the stolen information was encoded and saved into a single file.
The script then abused the GitHub application programming interface (API) to automatically create a new public repository under the victim’s own account using the naming pattern “s1ngularity-repository-“ where the stolen data was uploaded.
This method eliminated the need for an external command-and-control (C2) server, instead leveraging the victim’s own infrastructure to host the exfiltrated files, which could later be harvested by the attacker while minimizing direct traceability.
Additionally, the malware changed the user’s shell configuration files (~/.bashrc and ~/.zshrc) to insert a shutdown command, ensuring the developer’s machine would reboot every time a new terminal session started. This move was likely intended to enhance persistence of the infection or disrupt forensic analysis.
The predictable repository naming convention made the stolen data easily identifiable on GitHub, though it also left a trail that might expose the attacker’s collection method.
By avoiding third-party servers entirely, the attack relied on the victim’s own accounts to store and transmit the loot, a tactic that complicates attribution but also increases the risk of detection.
StepSecurity said that the popularity of Nx tools meant users identified the attack quickly and the eight malicious package versions remained live only for five hours and 20 minutes before being taken down.
“In that short window, thousands of developers may have been exposed,” the report said.
Second Wave of Attack: GitHub CLI OAuth Tokens on High Alert
The StepSecurity report warned of a second wave of attacks stemming from the Nx credential leaks, first disclosed by Brian Kohan, a software architect at the NASA Jet Propulsion Laboratory, and Adnan Khan, a security engineer and researcher on August 28.
In this new wave, attackers started weaponizing stolen credentials to expose and duplicate private organizational repositories, thus escalating the breach’s impact.
The attack follows a two-stage approach:
- First, threat actors rename private repositories to follow the pattern s1ngularity-repository-{random-string} before forcibly converting them to public access, exposing sensitive code and secrets
- Second, they fork these repositories into compromised user accounts, ensuring the stolen data remains accessible even if the original repositories are later secured
Thousands of such repositories have now surfaced on GitHub. The attack disproportionately targets GitHub CLI OAuth tokens, which provide attackers with prolonged access, amplifying the risk of persistent exploitation.
Infection Assessment and Mitigation and Remediation Recommendations
The StepSecurity researchers said these attacks mark a “new frontier in supply chain attacks.”
“This is the first known case where malware harnessed developer-facing AI CLI tools – turning trusted AILLMassistants into reconnaissance and exfiltration agents,” they wrote.
People who want to know if they or their organization have been affected can use the following GitHub query and replace ‘acmeinc’ with their GitHub organization name: https://github.com/search?q=is%3Aname+s1ngularity-repository+org%3Aacme&type=repositories&s=updated&o=desc
For those who have been impacted, the StepSecurity researchers recommended following these steps:
- Make any exposed organization repositories private again
- Disconnect affected user(s) from the organization while mitigating this issue
- Revoke all access tokens for each affected user, including installed apps, authorized apps, OAuth tokens (especially GitHub CLI tokens), SSH keys and GPG keys
- Delete any forked repositories from affected user accounts that may contain sensitive organizational data
StepSecurity also provided a comprehensive remediation plan users can follow.