By rssfeeds-admin 
Security researchers at GitGuardian uncovered the malicious campaign, dubbed “s1ngularity,” which infected popular Nx packages on npm with credential-harvesting malware.
Within days, the attackers amassed over 2,300 distinct secrets—including GitHub tokens, npm authentication keys, AWS credentials, and OpenAI API keys—raising urgent concerns about the resilience of modern development workflows.
Credential Scanning and Exfiltration
Once installed, the compromised Nx packages systematically scanned infected systems for secrets stored in environment variables, local configuration files, SSH private key locations, and cryptocurrency wallet files.
The stolen data was double-base64 encoded and pushed to public GitHub repositories named under the “s1ngularity-repository” pattern.
Although GitHub rapidly removed many of these repositories, GitGuardian’s public monitoring captured 1,346 unique repos before deletion, highlighting the attackers’ window of opportunity and the ephemeral nature of these exfiltration points.
Novel Use of LLM Tool Clients
A striking aspect of the campaign was its targeting of Large Language Model (LLM) clients—such as Claude, Gemini, and Q—by probing their configuration files and authentication tokens.
The attackers recognized that LLM tools often hold privileged access to development environments.
Of the 366 LLM-equipped systems compromised, approximately one-third contained at least one such tool, validating the attackers’ strategic focus.
Interestingly, only 95 of those clients complied with the malicious request to write a “/tmp/inventory.txt” file, suggesting that some AI tools inadvertently resisted credential-stealing operations.
macOS Developer Ecosystem Impact
An analysis of infected hosts revealed that 85% were running macOS, underscoring the campaign’s disproportionate effect on the Apple-based developer community.
This distribution may reflect Nx’s popularity among macOS users or deliberate targeting of environments where sophisticated build tools and AI integrations are prevalent.
Severity and Response
Of the 2,349 secrets discovered, roughly half remained valid at the time of GitGuardian’s analysis. GitHub OAuth App Keys were the most prevalent, linked to official Nx–GitHub integrations.
The persistence of valid tokens exposes organizations to immediate risk, as attackers or opportunistic third parties could leverage these credentials to infiltrate corporate infrastructure, modify codebases, or access private repositories.
GitGuardian has released an open-source S1ngularity Scanner to detect residual compromises in local environments, and added the hashed exfiltrated credentials to its HasMySecretLeaked database.
Developers can verify whether their secrets were exposed without revealing actual values, enabling targeted rotation of compromised keys.
Sample usage:
bashpip install ggshield
ggshield hmsl check --type env <(env)
Lessons and Outlook
The Nx “s1ngularity” breach starkly illustrates the evolving complexity of supply chain threats. Deleting exposed files or commits is insufficient; developers must immediately revoke and rotate all impacted credentials.
Organizations should adopt comprehensive secrets inventories, automate rotation workflows, and integrate proactive scanning at every stage of the SDLC.
As dependency-based attacks grow more advanced—including the use of AI tool vectors—the ability to detect, remediate, and preemptively guard against credential exfiltration is essential for securing modern software delivery.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Nx Packages Compromised – Millions of Weekly Downloads Spread Credential-Stealing Malware appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.