The Nx package has been a core developer tool with over 3.5 million weekly downloads on npm. It recently took a major security hit once after a vulnerability was identified. The maintainers reported the issue on August 26, 2025, revealing that the compromise stemmed from a flawed workflow introduced just days earlier on August 21, 2025. Malicious actors took advantage of this vulnerability to introduce executable code through a specially crafted title in a pull request (PR). Consequently, they exposed a wealth of sensitive information comprising GitHub, Cloud, and AI credentials.
The recent attack on SolarWinds’ software supply chain has alarmed the tech community because of its massive scale and the sophistication of that attack. Researchers discovered that around 90% of the 1,007 leaked GitHub tokens from the attack are still valid. The architecture of the nx package allows editors to be plugged into Continuous Integration (CI). Sadly, this design flaw allowed attackers to exploit the system and execute arbitrary commands.
Vulnerability Details and Exploitation
We have since learned that the root cause of the breach was the pull_request_target trigger that was included in the compromised workflow. This mechanism awarded escalated permissions by submitting a GITHUB_TOKEN with read/write access to the repository. Therefore, any nefarious PR title that gets introduced would trigger this workflow, with potentially huge consequences.
“The pull_request_target trigger was used as a way to trigger the action to run whenever a PR was created or modified,” stated the nx team in their official report. They pointed out that this trigger is executing workflows with escalated permissions, which differs from the default pull_request trigger.
The broken workflow triggered the “publish.yml.” This action published typosquatted/malicious versions of the nx packages to the public npm registry with an npm token. The nx team explained, “As part of the bash injection, the PR validation workflows triggered a run of the publish.yml with this malicious commit and sent our npm token to an unfamiliar webhook.” Attackers took advantage of this chain of events to release malicious packages. These packages scanned the file systems of users, collected sensitive credentials, and uploaded this data to GitHub under users’ accounts.
Impact on Systems and Credential Leaks
The breach has been largely limited to infrastructure that only utilizes the Apple macOS system. Approximately 85% of the impacted systems operate on this platform. Wiz researchers commented that dozens of legitimate cloud credentials and npm tokens were some of the compromised materials. Additionally, GitGuardian’s attack surface analysis found that 33% of compromised systems had at least one LLM client deployed.
This attack specifically leveraged popular installed AI Command Line Interface (CLI) tools. It used other harmful flags, such as “–dangerously-skip-permissions” and “–yolo,” to boost malicious recon. According to a report from Wiz, “Notably, the campaign weaponized installed AI CLI tools by prompting them with dangerous flags to steal file system contents.”
The threats from this malicious payload are deeply alarming. It only focuses on Linux and macOS based systems, through systematic search for sensitive files, extracting credentials, SSH keys and .gitconfig files.
Community Response and Recommendations
The attack has already prompted a range of reactions from organizations and cybersecurity personnel. Ashish Kurmi from StepSecurity emphasized the growing sophistication of supply chain attacks following this incident: “Given the popularity of the nx ecosystem, and the novelty of AI tool abuse, this incident highlights the evolving sophistication of supply chain attacks.” He echoed the call for developers who might have downloaded the compromised versions to take immediate action. Immediate remediation is essential for any site owners who had the malicious versions installed.
In response to these incidents, cybersecurity leaders have issued numerous calls for developers to improve their cybersecurity hygiene. Snyk suggested treating local AI coding agents like any other privileged automation: “restrict file and network access, review often, and don’t blindly run AI coding agents’ CLIs in YOLO modes.” This is a cautionary tale for developers to adopt proactive security measures when integrating AI tools into their development processes.
The nx team’s report concluded with advice for users: “What was missed is the warning that this trigger runs workflows with elevated permissions… We believe this is how the user got a hold of the npm token used to publish the malicious versions of nx.”