Responding to the S1ngularity Attack
Understanding the s1ngularity Supply-Chain Attack | August 2025
Cofounder of DeDevs, which serves as a hub for cutting-edge development, knowledge sharing, and collaboration on groundbreaking projects. Our community specifically focuses on the intersection of blockchain and AI technologies, providing a unique space where experts from both fields can come together to innovate and learn from each other.
This guide provides a step-by-step remediation process to identify exposure, remove malicious code, revoke credentials, and secure your environment.
On August 26–27, 2025, malicious versions of the Nx build tool were published to npm.
If you or your team installed one of these versions, your system may have leaked credentials (GitHub tokens, npm tokens, cloud keys, SSH keys, API keys, etc.) through automatically created public repositories named s1ngularity-repository-* in your GitHub account.
Check Installed Nx Versions
Run the following to confirm what version was installed:
npm ls nx
Or inspect package-lock.json / yarn.lock.
Known malicious versions:
20.9.0 → 20.12.0
21.5.0 → 21.8.0
Certain @nx/* plugins at 20.9.0 and 21.5.0
Check for Rogue GitHub Repositories
Review your GitHub security log for new repos named s1ngularity-repository-*.
➡️ Steps here
If any exist, they contained stolen secrets.
Inspect Local Files for Indicators
Look for /tmp/inventory.txt or /tmp/inventory.txt.bak — lists of sensitive file paths targeted by the malware.
Check your shell config for persistence:
grep -H "sudo shutdown -h 0" ~/.bashrc ~/.zshrc
If present, remove those lines.
2. Remove the Malicious Package and Code
Find Lockfiles Containing Bad Versions
find "$ROOT" -type f \( -name 'package-lock.json' -o -name 'pnpm-lock.yaml' -o -name 'yarn.lock' \) \
| xargs grep -HnE 'nx@?(20\.9\.0|20\.10\.0|20\.11\.0|20\.12\.0|21\.5\.0|21\.6\.0|21\.7\.0|21\.8\.0)'
Clear Caches and Reinstall Safe Versions
npm cache clean --force
rm -rf ~/.npm/_npx
yarn cache clean || true
pnpm store prune || true
npm uninstall nx
npm install nx@21.4.1
npm cache clean --force
Update VS Code Nx Console
Upgrade to v18.66.0+.
Earlier versions auto-installed `nx@latest` (possibly malicious).
Always pin Nx versions instead of relying on latest.
3. Revoke & Rotate Credentials
GitHub
Revoke all Personal Access Tokens and OAuth tokens
Remove and regenerate SSH keys
Enable 2FA
gh auth status
gh ssh-key list
gh auth logout
Generate a new SSH keypair:
ssh-keygen -t ed25519 -C "you@example.com" -f ~/.ssh/id_ed25519_github -N ''
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519_github
gh ssh-key add ~/.ssh/id_ed25519_github.pub -t "rotated-$(date +%Y%m%d-%H%M%S)"
npm
Revoke and regenerate tokens
Enable 2FA for publishing
Cloud & APIs
Rotate AWS, GCP, and Azure keys if stored locally
Regenerate API keys for services (OpenAI, Anthropic, Gemini, Datadog, etc.)
Rotate database credentials
Cryptocurrency Wallets
If wallet files (keystore.json, wallet.dat) were on disk, assume compromise and move funds to new wallets.
➡️ Full checklist: Revocation Guide
4. Review and Secure Repositories
Identify Affected Repos
OWNER="USERNAME"
PATTERN="^${OWNER}/s1ngularity-repository-"
gh repo list "$OWNER" --visibility public -L 10000 --json nameWithOwner \
--jq '.[] | .nameWithOwner | select(test("'"$PATTERN"'"))' > repos_to_secure.txt
Make Repos Private
while IFS= read -r repo; do
gh repo edit "$repo" --visibility private --accept-visibility-change-consequences
done < repos_to_secure.txt
Also:
Audit commit history for unauthorized changes
Check for unauthorized forks
File GitHub takedown requests if needed
Review org audit logs (repo renames, added keys, suspicious access)
5. Verify & Monitor
Decode results.b64 from malicious repos (Base64 ×2) to confirm stolen data
Tools:
GitGuardian’s S1ngularity Scanner
GitGuardian’s HasMySecretLeaked
Semgrep detection rules for malicious Nx versions
Ongoing monitoring:
Watch GitHub/npx/cloud login activity
Monitor for suspicious repo changes
6. Long-Term Preventive Measures
Pin all dependencies in lockfiles.
Require manual approval for GitHub Actions from forks.
Remove long-lived CI/CD tokens → use short-lived OIDC tokens.
Rotate secrets regularly.
Apply least privilege (narrow scopes for PATs, API keys, IAM roles).
Train dev teams on secret hygiene and incident response.
Final Note
If you installed a malicious Nx version:
Assume all local secrets are compromised
Rotate them immediately.
Remove persistence mechanisms.
Audit repos for unauthorized exposure.
Resources
Security Alert | NX Compromised to Steal Wallets and Credentials
HasMySecretLeaked | Leak Detection in the DevOps Pipeline
Revocation Guide | GitHub Repository by BunsDev
Remove Sensitive Data | GitHub’s Guide for Cleaning History
Further Reading
News Coverage & Reports
TechRadar | NPM packages from Nx targeted in latest worrying software supply chain attack: Reports that malicious Nx versions exfiltrated developer secrets (GitHub/NPM tokens, SSH keys, crypto wallet info). Highlights the use of AI CLI tools (Claude, Gemini) in reconnaissance.
The Hacker News | Malicious Nx Packages in ‘s1ngularity’ Attack Leaked 2,349 GitHub, Cloud, and AI Credentials: Breaks down affected versions, volume of leaked credentials, AI-assisted reconnaissance, and the use of public repositories for exfiltration.
SecurityWeek | Hackers Target Popular Nx Build System in First AI‑Weaponized Supply Chain Attack: Provides a timeline of events, technical mechanics of the malware, and mitigations such as enforcing 2FA on publishing.
InfoWorld | Wave of npm supply chain attacks exposes thousands of enterprise developer credentials: Contextualizes the Nx incident within the broader landscape of npm ecosystem attacks and enterprise risk, emphasizing AI tool abuse.
Infosecurity Magazine | Npm Package Hijacked to Steal Data and Crypto via AI‑Powered Malware: Details how this represents a first-of-its-kind attack using AI-powered malware within npm packages.
Technical & Incident Response Blogs
- StepSecurity | Supply Chain Security Alert: Popular Nx Build System Package Compromised with Data‑Stealing Malware: Offers a precise technical timeline beginning August 26, 2025, including how the AI tools were weaponized and naming the official advisory GHSA‑cxm3‑wv7p‑598c.
Official Advisory & Repository
- GitHub | Security Advisory (nrwl/nx issue #32524): The official advisory issued by the Nx maintainers, listing affected package versions, timeline of publication/removal, and a summary of the attack vector and impact.
