Nx compromised: malware uses Claude code CLI to explore the filesystem
14 days ago
- #github
- #security
- #malware
- At least 1.4k GitHub users have a malicious repository named 's1ngularity-repository' created by a compromised nx build kit post-install command.
- The malware steals sensitive data like wallets and API keys, storing them in a results.b64 file within the repository.
- It checks for Claude Code CLI or Gemini CLI to offload fingerprintable code to a prompt, making detection harder.
- Affected nx versions: 21.5.0 - v21.8.0 and v20.6.0 – v20.12.0, which have been removed from npm.
- Users should check for the malicious repository, update nx to safe versions (e.g., 21.4.1), and rotate all leaked secrets.
- The malware uses nx's post-install hook to run telemetry.js, dumping environment variables and using GitHub CLI to create repositories.
- A novel aspect is leveraging LLMs (like Claude/Gemini CLI) to search for wallet/secret-related files via a detailed prompt.
- Incident timeline shows malicious versions published on 2025-08-26, with npm removing them and org owner actions following reports.
- Official advisory and remediation steps are available on GitHub for affected users.