The maintainers of the Nx build system have disclosed a supply chain attack that led to the publication of malicious versions of the widely used npm package and several supporting plugins. According to an advisory issued Wednesday, the compromised packages contained code that scanned local file systems, collected user credentials, and covertly pushed the stolen data to GitHub repositories under victims’ accounts.
Nx, an open-source build platform used for managing large codebases, is advertised as an “AI-first build platform” and has over 3.5 million weekly downloads on npm. The malicious packages were uploaded to the npm registry on August 26, 2025, affecting multiple versions of nx as well as associated plugins like @nx/devkit, @nx/node, @nx/eslint, and @nx/workspace. The affected versions have since been removed from the registry.
The incident was traced back to a workflow vulnerability introduced on August 21, 2025. Specifically, the use of GitHub’s pull_request_target trigger created a security gap, as this trigger runs with elevated permissions—including access to a GITHUB_TOKEN with read/write rights. This token was misused to initiate a workflow designed to publish npm packages, which attackers leveraged to insert and distribute malicious code.
Although the workflow was quickly reverted in the master branch once identified, attackers appear to have exploited the flaw in an outdated branch where it remained active. By crafting a malicious pull request against this branch, they injected code that redirected npm tokens to a webhook under their control. These tokens were then used to publish tampered package versions directly to the npm registry.
The malicious modifications enabled attackers to establish persistence by exfiltrating npm tokens, setting up backdoors, and inserting code designed to harvest sensitive developer information. The campaign highlights how attackers are increasingly exploiting CI/CD pipelines and development workflows to compromise widely adopted open-source projects at scale.
This compromise mirrors other recent incidents across open-source ecosystems, demonstrating how attackers continue to target developers through supply chain attacks. In this case, the attackers exploited the trust developers place in the npm ecosystem and automated workflows, allowing them to weaponize a legitimate and popular package with millions of weekly downloads.
The Nx incident underscores the importance of hardening CI/CD workflows against abuse. Development teams should carefully review GitHub Actions configurations, limit token privileges, and implement automated scanning for malicious code in build pipelines. By prioritizing secure DevOps practices, organizations can better defend against attackers seeking to exploit supply chain trust at scale.
