NX build compromise detection and response | Kaspersky official blog

NX build compromise detection and response | Kaspersky official blog

/in

Packages of the popular build platform and CI/CD optimization system, Nx, were compromised on the night of August 26-27. A malicious script was added to the system’s packages, which, according to npm repository statistics, have more than five million weekly downloads. Thousands of developers that use Nx to accelerate and optimize application development had their sensitive data stolen: npm and GitHub tokens, SSH keys, cryptocurrency wallets, and API keys were uploaded to the public GitHub repositories. The massive leak of secrets poses a long-term threat of supply chain attacks: even when malicious packages are removed from affected systems, attackers may still have the ability to compromise applications created by these thousands of developers.

Attack and response chronology

The attackers used a compromised token issued for one of the Nx package maintainers to publish multiple malicious versions of the Nx package and its plugins in the two hours between 22:32 UTC, August 26 and 0:37 UTC, August 27. Another two hours later, the npm platform removed all compromised versions of the packages, and another hour later, the Nx owners revoked the stolen token — so attackers lost access to the Nx repository. Meanwhile, thousands of public repositories containing data stolen by the malicious script began appearing on GitHub.

At 9:05 UTC on August 27, GitHub responded by making all leaked repositories private and unsearchable. Nevertheless, the stolen data was publicly available for more than nine hours, and was downloaded multiple times by groups of cybercriminals and researchers. A total of 19 compromised versions of Nx and plugins were released:

  • @nx, 20.9.0, 20.10.0, 20.11.0, 20.12.0, 21.5.0, 21.6.0, 21.7.0, 21.8.0
  • @nx/devkit, 20.9.0, 21.5.0
  • @nx/enterprise-cloud, 3.2.0
  • @nx/eslint, 21.5.0
  • @nx/js, 20.9.0, 21.5.0
  • @nx/key, 3.2.0
  • @nx/node, 20.9.0, 21.5.0
  • @nx/workspace, 20.9.0, 21.5.0.

How this attack was possible

For a short time starting from August 21, the Nx code used a vulnerable workflow (GitHub action workflow) that allowed arbitrary code injection. Attackers took advantage of this to modify publish.yml on August 24 and extract an npm token that grants rights to publish packages. Although the vulnerability was patched, the token leak was not noticed until it was exploited in an attack on August 26.

Malware features and targets

The Nx packets were trojanized using a malicious post-installation script called telemetry.js. It targets development environments on macOS and *nix (when run on Windows, the malicious script immediately terminates).

Once run, the script searches the affected system for the following types of data:

  • MetaMask, Electru, Ledger, Trezor, Exodus, Phantom, Solflare key storages and crypto wallets
  • Random key storage files (*key, *keystore.json, UTC–, IndexedDB)
  • GitHub personal authentication tokens
  • Access tokens for npm
  • .env files
  • RSA private keys (id_rsa).

It’s noteworthy that popular LLMs running via command line tools were used for the searches. If Anthropic Claude, Amazon Q or Google Gemini CLI tools were installed on the system, script made an insecure query that required finding all the listed data types.

All found data was uploaded to GitHub in obfuscated form — encoded in base64 multiple times. To do this, the malware used stolen GitHub tokens, created a publicly accessible s1ngularity-repository, s1ngularity-repository-0, or s1ngularity-repository-1 on behalf of the victim, and uploaded a single results.b64 file there.

The attackers probably aim to quickly exploit the stolen data; after all, the malicious script hasn’t tried to be stealthy, but instead tried to aggressively isolate the victim from accessing working systems. To do this, it added the sudo shutdown command to~ /.bashrc and ~/.zshrc, resulting in new terminal sessions immediately initiating a system shutdown.

How to test your systems

Organizations using Nx should check their package versions, and audit their GitHub accounts and logs.

  1. Check the Nx package versions in use with the npm ls nx command
  2. Check for any Nx packages in package-lock.json
  3. Check for security events in the GitHub logs.

If repositories named s1ngularity-repository* are found, download the results.b64 files from them for further investigation, and remove them from GitHub.

When malicious repositories are detected:

  1. Remove node_modules completely: rm -rf node_modules
  2. Clean the npm cache: npm cache clean –force
  3. Check and clean out extraneous commands from ~/.bashrc and ~/.zshrc
  4. Make an archive copy for investigation and delete the /tmp/inventory.txt and /tmp/inventory.txt.bak files from the system
  5. Remove malicious package versions from package-lock.json
  6. Reinstall the safe versions of the packages.

The most critical and urgent action for compromised systems is to update all secrets that the malware may have accessed by the malware (GitHub PATs, npm tokens, SSH keys, API keys in .env files and Claude, Gemini and Q keys).

You should also continue to monitor your GitHub repositories. First, even after all these steps, there may still be Trojanized versions of Nx on compromised systems that will continue to download stolen information. Second, if attackers have already managed to use the stolen tokens before they rotate them, this will most likely manifest itself in unauthorized commits or malicious changes to GitHub actions.

Kaspersky official blog – ​Read More