Back

Nx Build System Supply Chain Attack Exposes GitHub Tokens and Private Repositories

Severity: High (Score: 67.5)

Sources: Scworld, www.wiz.io, socket.dev

Summary

On August 26, 2025, malicious versions of the Nx build system package were uploaded to npm, containing a post-install script that harvested sensitive developer assets. The malware targeted Linux and macOS systems, exfiltrating data to attacker-controlled GitHub repositories. GitHub disabled these repositories on August 27, but the exposure window allowed for data to be downloaded by attackers. Over 1,000 valid GitHub tokens were leaked, impacting more than 400 users and resulting in over 5,500 private repositories being made public. The attack utilized AI command-line tools to facilitate reconnaissance and data theft. A follow-on operation, tracked as UNC6426, exploited the stolen tokens to breach AWS environments within 72 hours. The incident highlights a significant vulnerability in the npm ecosystem and the need for improved security response models. Key Points: • Malicious Nx package versions exfiltrated sensitive developer data to public GitHub repos. • Over 1,000 GitHub tokens were leaked, affecting more than 400 organizations. • AI tools were weaponized to facilitate reconnaissance in the supply chain attack.

Key Entities

  • Data Breach (attack_type)
  • Malware (attack_type)
  • Supply Chain Attack (attack_type)
  • Axios Compromise (campaign)
  • NX Compromise (campaign)
  • Unc6426 (apt_group)
  • North Korea (country)
  • CWE-200 - Exposure of Sensitive Information (cwe)
  • CWE-269 - Improper Privilege Management (cwe)
  • CWE-94 - Code Injection (cwe)
  • Shai-hulud (malware)
  • T1059.007 - JavaScript (mitre_attack)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • T1078 - Valid Accounts (mitre_attack)
  • T1083 - File And Directory Discovery (mitre_attack)
  • T1195 - Supply Chain Compromise (mitre_attack)
  • AWS (company)
  • GitHub (platform)
  • Linux (platform)
  • MacOS (platform)
  • Windows (platform)
  • 2379ac0e03b1a67c4ca5693136eff4945e644a91 (sha1)
  • b4f20b39aa6df1002872f07973024d85aa49abaf (sha1)
  • d2438106211ebd12c4f0a248848bc9864c97a3c0 (sha1)
  • e5d1f3c45ee7cca6ae59cf64e0573050bbe136ec (sha1)
  • Amazon Q CLI (tool)
  • Claude (tool)
  • Gemini (tool)
  • Q (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed