NX Build Tool Hacked with Malware That Checks for Claude or Gemini to Find Wallets and Secrets

Over 1,400 developers discovered today that a malicious post-install script in the popular NX build kit silently created a repository named s1ngularity-repository in their GitHub accounts. 

This repository contains a base64-encoded dump of sensitive data wallet files, API keys, .npmrc credentials, environment variables, and more harvested directly from developers’ file systems.

Key Takeaways
1. Malware in the NX build tool steals credentials and creates GitHub repos.
2. Targets Claude and Gemini CLIs for advanced data exfiltration.
3. Delete suspicious repos, update NX, and rotate secrets urgently.

AI-Assisted Data Exfiltration

Semgrep reports that attackers leveraged the NX post-install hook via a file named telemetry.js to execute malicious code immediately after package installation. 

The malware first collects environment variables and attempts to locate a GitHub authentication token via the GitHub CLI. Armed with credentials, it then creates a public repository such as s1ngularity-repository-0 and commits the stolen data in results.b64.

What makes this campaign particularly novel is its integration with Claude Code CLI or Gemini CLI. If either AI-powered CLI is present, the malware issues a carefully crafted prompt to conduct fingerprintable filesystem scans:

This AI-driven approach offloads the bulk of signature-based filesystem enumeration to the LLM, complicating traditional malware detection.

Affected NX Versions and Mitigations

• @nx/devkit 21.5.0, 20.9.0
• @nx/enterprise-cloud 3.2.0
• @nx/eslint 21.5.0
• @nx/key 3.2.0
• @nx/node 21.5.0, 20.9.0
• @nx/workspace 21.5.0, 20.9.0
• @nx 20.9.0–20.12.0, 21.5.0–21.8.0

Developers using any impacted versions should immediately run:

or inspect lockfiles for vulnerable dependencies. 

• Search for unauthorized repositories.
• Delete any s1ngularity-repository* you find.
• Update NX to safe version 21.4.1 (vulnerable versions removed from npm).
• Rotate all exposed secrets: GitHub tokens, npm credentials, SSH keys, environment variables.
• Remove malicious shutdown directives in shell startup files (e.g., .bashrc).

As the incident unfolds, organizations are urged to monitor repository creations and enforce strict post-installation auditing.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

The post NX Build Tool Hacked with Malware That Checks for Claude or Gemini to Find Wallets and Secrets appeared first on Cyber Security News.