Wave of npm supply chain attacks exposes thousands of enterprise developer credentials

A sophisticated supply chain attack has compromised the widely-used Nx build system package and exposed thousands of enterprise developer credentials. The campaign weaponized artificial intelligence tools to enhance data theft operations across enterprise development environments, according to a new report from security firm Wiz.

The attack began on August 26, 2025, when threat actors published multiple malicious versions of Nx packages to the npm registry. These compromised packages contained post-installation scripts designed to systematically harvest sensitive developer assets, the report said. The malware targeted cryptocurrency wallets, GitHub and npm tokens, SSH keys, and environment variables from infected enterprise systems.

“The malware leveraged installed AI CLI tools by prompting them with dangerous flags to steal filesystem contents, exploiting trusted tools for malicious reconnaissance,” Wiz researchers said in their report. “We have observed this AI-powered activity succeed in hundreds of cases, although AI provider guardrails at times intervened.”

The timing of the Nx compromise coincides with another significant npm supply chain discovery: JFrog announced it had separately uncovered eight malicious packages published on npm, including react-sxt, react-typex, and react-native-control, which contained “highly sophisticated multi-layer obfuscation, with over 70 layers of concealed code.”

“Open-source software repositories have become one of the main entry points for attackers as part of supply chain attacks, with growing waves using typosquatting and masquerading, pretending to be legitimate,” said a blog post by JFrog security researcher Guy Korolevski.

Multiple attack vectors target npm ecosystem

The JFrog-discovered packages targeted Chrome users on Windows with data theft capabilities designed to extract “sensitive Chrome browser data from all user profiles, including passwords, credit card information, cookies, and cryptocurrency wallets.” These packages used numerous evasion techniques including “shadow copy bypass, LSASS impersonation, multiple database access methods, and file-lock circumvention to avoid detection,” according to the JFrog post.

As for the Nx breach, its scope is substantial: Wiz researchers documented over 1,000 valid GitHub tokens, dozens of valid cloud credentials and npm tokens, and roughly 20,000 files leaked across thousands of publicly accessible attacker-controlled repositories. The stolen data was uploaded to repositories within victims’ GitHub accounts named with variations on “s1ngularity-repository.”

GitHub moved quickly to contain the damage, disabling all attacker-created repositories on August 27 at 9 a.m. UTC. However, “the exposure window lasted around 8 hours and was sufficient for these repositories to have been downloaded by the original attacker and other malicious actors,” the report noted.

AI tools weaponized in sophisticated attack

The Nx campaign stands out for its innovative use of AI tools as weapons. The malware prompted installed AI command-line interfaces including Claude, Gemini, and Q with dangerous permission flags such as “–dangerously-skip-permissions,” “–yolo,” and “–trust-all-tools” to extract filesystem contents and conduct reconnaissance operations.

“We have observed this AI-powered activity succeed in hundreds of cases, although AI provider guardrails at times intervened,” the Wiz report said.

The attack originated from a vulnerable GitHub Actions workflow that allowed code injection through unsanitized pull request titles. “The injection flaw enabled arbitrary command execution if a malicious PR title was submitted, while the pull_request_target trigger granted elevated permissions,” the researchers said.

The attack’s impact extended beyond individual developer machines to enterprise build pipelines and CI/CD systems. “In many cases, the malware appears to have run on developer machines, often via the NX VSCode extension. We’ve also observed cases where the malware ran in build pipelines, such as Github Actions,” researchers said in the report.

Enterprise remediation efforts underway

Both npm and the affected security vendors have taken action to remove the malicious packages. JFrog reported its findings to npm, and the malicious React packages have been removed from the repository. JFrog Xray has also been updated to detect the malicious packages, the blog added.

Multiple versions of core Nx components were compromised, including various releases of @nrwl/nx, nx, @nx/devkit, @nx/enterprise-cloud, and several other related packages across versions 20.9.0 through 21.8.0. The stolen enterprise data was “double and triple-base64 encoded” before being uploaded to the malicious repositories, though this encoding method is “trivially decodable, meaning that this data should be treated as effectively public,” researchers warned in the report.

These incidents represent a growing threat to enterprise software supply chains, where organizations typically rely on hundreds or thousands of third-party packages. Unlike traditional perimeter-based attacks, supply chain compromises bypass most enterprise security controls by exploiting the inherent trust organizations place in legitimate software packages.

“The impact of sophisticated multi-layer campaigns designed to evade traditional security and steal sensitive data highlights the importance of having visibility across the entire software supply chain with rigorous automated scanning,” Korolevski said.

Wiz researchers recommend immediately removing malicious Nx versions and upgrading to clean releases, manually reviewing shell configuration files for malicious modifications, and conducting comprehensive credential rotation efforts. “Revoke and regenerate all GitHub tokens, npm tokens, SSH keys, API keys, and environment variable secrets that may have been leaked in these repositories,” the Wiz report advised.

JFrog echoed similar advice, stating that “developers who downloaded or used these packages should rotate potentially compromised credentials, review their systems for suspicious activity, and ensure they are leveraging automated software supply chain security protections.”

The combination of AI-powered reconnaissance in the Nx attack and multi-layer obfuscation techniques in the React packages demonstrates how cybercriminals are rapidly adapting their methods to exploit enterprise developer environments. “Although the compromised packages have been removed from npm, they may still be executed locally on systems where they were previously installed,” Wiz researchers warned.