Hackers backdoored the open-source build platform Nx, which is used by over 70% of the Fortune 500, and downloaded 16 million times a month.
In an aggressive supply chain attack, they published malicious versions of the Nx package and plugins to the world’s largest software registry, npm.
The malicious versions were live for five hours and downloaded hundreds of times by multiple organisations’ developers, before being taken down.
The first malicious package was published at 22:32pm UTC on August 26. Further packages were uploaded in the early hours of today (August 27).
Once downloaded, the malware “systematically scanned infected systems for valuable credentials” and exfiltrated them to thousands of public GitHub repositories with a distinctive “s1ngularity-repository” naming pattern.
Nx said the initial threat vector was likely “an npm token [that] was compromised which had publish rights to the affected packages.”
The way in which the incident played out – Nx merged malicious pull requests (PRs) unwittingly, among other security failures - has infuriated many. It mapped out the Nx supply chain incident in detail here.
