Listen to this Post
The CVE describes a software supply chain attack where a malicious actor gained publishing rights to the Nx build system package on the npm registry. The tampered versions contained obfuscated JavaScript code designed to exfiltrate sensitive user data. Upon installation or execution, the malicious payload would activate, scanning the local filesystem for specific files and directories containing credentials, such as SSH keys and cloud provider access tokens. The collected data was then transmitted via HTTPS POST requests to a command-and-control server controlled by the attacker, which was configured to automatically create a GitHub repository under the compromised user’s account to store the stolen information. This method allowed the attacker to hide the exfiltrated data within a legitimate-looking service.
Platform: Nx (npm package)
Version: Malicious versions
Vulnerability: Supply Chain Compromise
Severity: Critical
date: 2025-09-24
Prediction: Patch not applicable (malicious package removal)
What Undercode Say:
npm audit npm ls nx grep -r "github" ~/.ssh/ find . -name ".pem" -o -name "gcp.json"
// Example code snippet checking for malicious network calls
const https = require('https');
// Monitor for suspicious POST requests to unknown domains.
How Exploit:
Attackers publish a trojanized package to the official npm registry. The package executes a payload that searches for and exfiltrates credentials to an attacker-controlled server.
Protection from this CVE:
Verify package integrity. Use `npm ci` with lockfiles. Implement software bill of materials (SBOM). Enforce package allow lists.
Impact:
Credential theft leading to unauthorized access to version control systems, cloud infrastructure, and other services. Full compromise of development environments.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
