# AI-Powered Supply Chain Attack: Unraveling the Impact of the S1ngularity Malware on Nx and the Developer Ecosystem

One of the most complex supply chain attacks to date has caused significant damage to the software development community, with over **2,180 GitHub accounts** compromised and **7,200 repositories** leaking data in an attack named **"s1ngularity"**.

## Attack Overview

The attack targeted **Nx**, an open-source build system and monorepo management tool widely used in enterprise-scale JavaScript/TypeScript ecosystems. With over **5.5 million weekly downloads** on NPM, Nx became an attractive target for hackers.

On **August 26, 2025**, the attacker exploited a vulnerability in the GitHub Actions workflow of the Nx repository to release a malicious version of the package on NPM. This version contained a post-install malware script named **'telemetry.js'**.

## Đặc Điểm Độc Đáo: Sử Dụng AI Để Đánh Cắp Dữ Liệu

Điều làm cho cuộc tấn công này nổi bật là malware đã sử dụng **các công cụ trí tuệ nhân tạo** để tìm kiếm và thu thập thông tin nhạy cảm. Script telemetry.js nhắm vào các hệ thống Linux và macOS, cố gắng đánh cắp:

![](https://lh7-rt.googleusercontent.com/docsz/AD_4nXdEfie5BUSXyvPSxaObpuIiLc-cct7WGjEeL1bnVB-iv2vZB7MHPNB9NAT9uRov93P6M2Pw8pv6dbxwgndHosghP5FOfM6p6xYxlAHc70XHLxFNN7EcWMl-jezkOTE2bcz4KajFaA?key=aoaxtfcc8oS0kXOIP07WlQ align="left")

* GitHub tokens
    
* NPM tokens
    
* SSH keys
    
* File .env
    
* Ví tiền điện tử
    
* Khóa API
    

Malware sử dụng các công cụ command-line của các nền tảng AI như **Claude, Q và Gemini** để tìm kiếm và thu thập thông tin nhạy cảm thông qua các **LLM prompts**.

## Developing and Refining Prompts

Wiz Research discovered that the malware went through **at least three different payload versions** with continuously refined prompts:

**Version 1** (Nx versions 20.9.0, 20.11.0, 21.5.0):  
The prompt focused on searching for files related to cryptocurrency wallets with specific instructions on paths and file patterns.

**Version 2** (Nx versions 21.6.0, 21.7.0):  
The prompt introduced **role-prompting** with the phrase "authorized penetration testing agent," but this led to **LLMs refusing to perform the task**.

**Version 3** (Nx versions 20.12.0, 21.8.0):  
The prompt was adjusted with the role of "file-search agent," avoiding controversial terms and increasing specificity.

## Effectiveness of AI in Attacks

In-depth analysis from Wiz shows that **AI only succeeded in collecting data in less than 25% of cases**. Limiting factors include:

* **Only 50% of victims had at least one AI CLI** installed
    
* **Nearly 25% of Claude interactions were denied** due to protective measures
    
* **Frequent configuration issues**: credit issues, credential problems, permissions requirements
    
* **25% of Gemini interactions were restricted** by workspace directory limitations
    

## Technical Details: Attack Methodology

## GitHub Actions Vulnerability

The attack exploited three critical conditions:

1. **Workflow validation with injection vulnerability**: The workflow using `pull_request_target` runs with the target branch's permissions and can access repository secrets
    
2. **Workflow permissions set to read/write**: The repository still uses GitHub's old default settings
    
3. **Manual workflow dispatch enabled**: Allows triggering the workflow through the GitHub API
    

## Attack Sequence

1. **Initial Exploitation**: Create a PR with a malicious title containing shell commands
    
2. **Token Hijacking**: Malicious script runs with elevated privileges, extracting the GitHub token using `webhook.site`
    
3. **NPM Token Theft**: When the publish workflow runs the malicious script, it gains access to `NPM_TOKEN`
    
4. **Release Malicious Package**: Use the stolen token to release compromised Nx packages
    

## Three Detailed Attack Stages

![](https://www.datocms-assets.com/75231/1756904579-s1ngularity-aftermath-2.png?fm=webp align="left")

## Stage 1: Direct Attack (August 26-27)

* **Over 1,700 users** had secrets publicly leaked
    
* **More than 2,000 secrets were verified** from research by multiple organizations
    
* **Over 20,000 files** were leaked in the research sample
    
* **85% of infected systems were running macOS**
    

**Notably**: Nearly **90% of GitHub tokens remained valid** 24 hours after GitHub removed the repositories containing secrets. This rate only decreased slowly, with **80% of tokens still valid** by the evening of August 29. GitHub conducted mass revocations, but **about 5% of leaked tokens were still valid**.

## Stage 2: Token Exploitation (August 28-29)

* **At least 480 accounts were compromised** (2/3 were organizations)
    
* **More than 6,700 private repositories** were made public with the naming scheme `s1ngularity-repository-#5letters#`
    
* A single organization had **over 700 repositories leaked**
    
* Wiz identified **thousands of valid credentials** in previously private repositories
    

## Stage 3: Targeted Attack (from August 31)

* Started on the evening of **August 31**
    
* Targeted **a single victim organization**
    
* **500 repositories** were released with the suffix `_bak` and the description `S1ngularity`
    

## Attacker's Tactics

## Optimizing Operational Security

Wiz Research analyzed that the attacker **optimized for their operational security**:

* Used `webhook.site` for initial exfiltration (limited to 100 records for anonymous users)
    
* Switched to creating GitHub repositories on victim accounts to avoid needing to set up infrastructure
    
* **Used TOR** when accessing victim accounts in Stage 2
    
* Used a **single-threaded Python script** with User Agents: `python-requests/2.32.3` and `python-requests/2.32.4`
    

## Response and Mitigation Measures

## Immediate Response

* NPM removed all malicious packages after **4 hours**
    
* GitHub made all leaked repositories private after **9 hours**
    
* Revoked and rotated all NPM tokens
    

## Nx's Long-Term Security Measures

Nx has implemented comprehensive security measures:

* **Switched to NPM's Trusted Publisher model** using OIDC authentication instead of tokens
    
* **Manual 2FA authentication** for all package publishing
    
* **Disabled pipeline runs** for all external contributors
    
* **Added provenance checks** in Nx and Nx Console
    
* Created `SECURITY.md` for responsible disclosure
    

## Wiz's Response

Wiz conducted **white glove reporting for over 50 major affected organizations**. Most of these organizations reported this was the **first notification** they received about the attack affecting them.

## User Support Tools

## S1ngularity Scanner

GitGuardian has released **S1ngularity Scanner**, a free open-source tool to scan local environments for potentially compromised files.

## HasMySecretLeaked

GitGuardian offers the **HasMySecretLeaked** service at hasmysecretleaked.com, allowing you to check if specific credentials have been leaked in the attack without revealing the actual value of the secret.

## Investigation Guide and New TTPs

## Investigating GitHub Audit Logs

**Stage 1**: Search for the string `s1ngularity` in the `repo` field of the `repo.create` event.

**Stage 2**: Check:

* The string `s1ngularity` in the `repo` field of the `repo.access` event
    
* A user cloning multiple repositories in a short period
    
* The `org_credential_authorization.deauthorize` event by the "github-staff" actor\_id (related to GitHub's mass revocation of compromised credentials)
    

## Long-Term Impact and Ongoing Risks

## Credentials Still Valid

* **Over 40% of leaked NPM tokens** from stage 1 are still valid, **nearly 100 unique tokens**
    
* **5% of leaked GitHub tokens** have not yet been revoked
    
* **More than 1,100 credentials are still valid** at the time of GitGuardian's analysis
    

## Most Leaked Types of Secrets

From GitGuardian's analysis:

* **2,349 distinct secrets** from 1,079 compromised repositories
    
* Common types: GitHub, NPM, AWS, OpenAI, Anthropic, Azure, Vercel
    
* Notably: **AI only collected fewer than 100 valid secrets** from 20,000 exfiltrated files
    

## Evolving Attack Patterns

Wiz highlights a **clear trend in the threat landscape**: from Ultralytics, to `tj-actions`, and now Nx - **the attacker has realized the potential to escalate small GitHub Actions misconfigurations into large and complex supply chain attacks**.

## Protection Guide

If you are using affected Nx versions (20.9.0-21.8.0), take action immediately:

1. **Check the system**: Review the package.json and package-lock.json files
    
2. **Clear cache**: Run `npm cache clean --force`
    
3. **Check shell files**: Look for the command `sudo shutdown -h 0` in ~/.bashrc, ~/.zshrc
    
4. **Rotate credentials**: Change all GitHub tokens, NPM tokens, SSH keys, API keys
    
5. **Check GitHub**: Look for unusual "s1ngularity-repository" repositories
    
6. **Use scanning tools**: Run S1ngularity Scanner and check HasMySecretLeaked
    

## Conclusion

The "s1ngularity" attack marks **a concerning milestone** in weaponizing AI for malicious purposes. Although AI succeeded in only a small number of cases, the **overall scale of damage is unprecedented**, with thousands of accounts affected and tens of thousands of repositories exposed.

This attack highlights that **simply deleting exposed data is not enough** - businesses must be able to inventory secret data across all systems, automate processes at scale, and maintain comprehensive visibility of where credentials are used.

## References

1. [s1ngularity's Aftermath: AI, TTPs, and Impact in the Nx Supply Chain Attack](https://www.wiz.io/blog/s1ngularitys-aftermath)
    
2. [S1ngularity - What Happened, How We Responded, What We Learned](https://nx.dev/blog/s1ngularity-postmortem)
    
3. [The Nx "s1ngularity" Attack: Inside the Credential Leak](https://blog.gitguardian.com/the-nx-s1ngularity-attack-inside-the-credential-leak/)
    
4. [s1ngularity Supply Chain Attack: What It Means for Cloud and AI Security](https://orca.security/resources/blog/s1ngularity-supply-chain-attack/)
