- When a token with publication rights has been stolen, several poisoned NX variants have been published
- Malware stole secrets and other important data
- The attack lasted a few hours, but could still cause damage
Countless software developers, including probably those of fortune companies 500, have been victims of a supply chain attack after NX, the open source construction system and the development of the development tool, has been compromised.
In an announcement published on GitHub, NX said: “Malventy versions of NX and certain support plugins have been published” on NPM.
At the same time, WIZ security researchers have published a separate announcement, saying that malicious versions transported infostative malware, entering secrets such as GitHub and NPM tokens, SSH keys, cryptographic portfolio information, etc., attacked developers.
Thousands of token discloses
The way in which NX was compromised remains unknown – Wiz thinks that the threat actors have managed to obtain a token with publication rights, which allowed them to push malicious versions at the NPM, despite all the maintenance of two factors (2FA) activated at the time of the attack. Apparently, 2FA was not necessary to publish the packages.
The attack lasted about four hours, before the NPM withdraws all poisoned versions.
NX did not discuss the number of companies could have been struck in this supply chain attack, but Wiz said The register By e-mail that more than 1,000 valid github tokens have been disclosed. In addition, the attackers stole approximately 20,000 files and “dozens” of valid cloud references and NPM tokens.
The affected users should contact the NX assistance team to get help.
NPM and NX are extremely popular in the software development community, with more than 70% of fortune companies 500 would use it, so it may not be surprising that it is constant.
However, Step Security security researchers have found something unique: malware “AI armed AI tools (including Claude, Gemini and Q) to help the recognition and exfiltration of data – marking the first known case where attackers have transformed AI assistants of developers into tools for the operating chain.”
“This technique obliges AI tools to scan recursively the file system and write sensitive file paths discovered towards /tmp/inventory.txt, effectively using legitimate tools as accomplices in the attack.”
