Investigations into the Nx "s1ngularity" NPM supply chain attack have unveiled a massive fallout, with thousands of account tokens and repository secrets leaked.
According to a post-incident evaluation by Wiz researchers, the Nx compromise has resulted in the exposure of 2,180 accounts and 7,200 repositories across three distinct phases.
Wiz also stressed that the incident's scope of impact remains significant, as many of the leaked secrets remain valid, and so the effect is still unfolding.
The Nx "s1ngularity" supply chain attack
Nx is a popular open-source build system and monorepo management tool, widely used in enterprise-scale JavaScript/TypeScript ecosystems, having over 5.5 million weekly downloads on the NPM package index.
On August 26, 2025, attackers exploited a flawed GitHub Actions workflow in the Nx repository to publish a malicious version of the package on NPM, which included a post-install malware script ('telemetry.js').
The telemetry.js malware is a credential stealer targeting Linux and macOS systems, which attempted to steal GitHub tokens, npm tokens, SSH keys, .env files, crypto wallets, and upload the secrets to public GitHub repositories named "s1ngularity-repository."
What made this attack stand out was that the credential-stealer to used installed command-line tools for artificial intelligence platforms, such as Claude, Q, and Gemini, to search for and harvest sensitive credentials and secrets using LLM prompts.
LLM prompt to search for and steal credentials and other secrets
Source: Wiz
... continue reading