- When a token with publication rights were stolen, multiple nx poisoned variants were released
- Malware stole secrets and other important data
- The attack lasted a few hours, but it could still be causing damage
Innumerable software developers, probably including those within Fortune 500 companies, were victims of a supply chain attack after NX, the open source construction system and the development tools kit, was compromised.
In an advertisement published in Github, NX said: “Malicious versions of NX and some support supplements” in NPM were published.
At the same time, Wiz security researchers published a separate advertisement, saying that malicious versions carried infested malware, obtaining secrets such as Github and NPM tokens, SSH keys, cryptographic wallet information and more of attacked developers.
Thousands of filtered chips
The way NX was compromised is still unknown: Wiz believes that the threat actors managed to obtain a token with publication rights, which allowed them to take the malicious versions to NPM, despite the fact that all maintainers had authentication of two factors (2fa) enabled at the time of the attack. Apparently, it was not needed 2fa to publish the packages.
The attack lasted approximately four hours, before NPM eliminated all poisoned versions.
NX did not discuss how many companies could have been beaten in this attack chain attack, but Wiz said The registration By email, which leaked more than 1,000 valid github tokens. In addition, the attackers stole around 20,000 files and “dozen” of valid cloud credentials and NPM tokens.
Affected users must communicate with the NX support equipment to get help.
Both NPM and NX are very popular in the software development community, with more than 70% of Fortune 500 companies supposedly use it, so it may not be surprising that it is under a constant attack.
However, security researchers pass security found something unique: the “AI tool tools (including Claude, Gemini and Q) to help in the recognition and exfiltration of data, marking the first known case where the attackers have turned the developers in tools for the exploitation of the supply chain.”
“This technique forces AI tools to recursively scan the file system and write sensitive files discovered A /TMP/inventory.txt, effectively using legitimate tools such as accomplices in the attack.”
