Nx npm Malware Explained: AI Agent Hijacking

Nx npm malware (Aug 2025): attackers published malicious Nx packages that weaponized AI coding agents (Claude Code, Gemini CLI, Amazon Q) via a postinstall script to inventory sensitive files and exfiltrate sensitive data to public GitHub repos named “s1ngularity-repository-*.” We break down what happened, affected versions, and how to check + respond (rotate credentials, hunt IoCs, and more).

Use Snyk for free to find and fix security issues in your applications today! https://snyk.co/ugLYn

✍️ Resources ✍️

• Snyk Nx Incident Blog: https://snyk.co/nx-security-incident
• Nx GitHub Issue: https://github.com/nrwl/nx/issues/32522
• Nx VS Code extension: https://marketplace.visualstudio.com/items

⏲️ Chapters ⏲️

0:00 - Intro

0:32 - What happened?

1:04 - The significance of the attack

1:44 - How the attack worked

2:38 - The destructive element

2:52 - Impacted Nx npm packages and versions

3:29 - The unexpected impact

3:44 - What to do in response

5:03 - Indicators of compromise

5:30 - Recap and future updates

6:03 - Closing

⚒️ About Snyk ⚒️

Snyk helps you find and fix vulnerabilities in your code, open-source dependencies, containers, infrastructure-as-code, software pipelines, IDEs, and more! Move fast, stay secure.

Learn more about Snyk: https://snyk.co/ugLYl

📱 Connect with Us 📱

🖥️ Website: https://snyk.co/ugLYl
🐦 X: http://twitter.com/snyksec
💼 LinkedIn: https://www.linkedin.com/company/snyk
💬 Discord: https://discord.gg/devsecops-community-918181751526948884

• ️ Subscribe: https://www.youtube.com/c/SnykSec
• 🔥 We're hiring! Check our open roles: https://snyk.co/ugLYp

🔗 Hashtags 🔗
#nx #security #npm #supplychainsecurity #supplychain #malware #NxBuild #SupplyChainAttack #AIAgents #DevSecOps #JavaScript #TypeScript #OpenSourceSecurity #Snyk