The maintainers of the nx build system have alerted users to a supply chain attack that allowed attackers to publish malicious versions of the popular npm package and other auxiliary plugins with data-gathering capabilities. "Malicious versions of the nx package, as well as some supporting plugin packages, were published to npm, containing code that scans the file system, collects credentials, and posts them to GitHub as a repo under the user's accounts," the maintainers said in an advisory published Wednesday. Nx is an open-source, technology-agnostic build platform that's designed to manage codebases. It's advertised as an "AI-first build platform that connects everything from your editor to CI [continuous integration]." The npm package has over 3.5 million weekly downloads. The list of affected packages and versions is below. These versions have since been removed from the npm registry. The compromise of the nx package took place on August 26, 2025. nx 21.5.0, 20.9.0, 20.10.0, 21.6.0, 20.11.0, 21.7.0, 21.8.0, 20.12.0 @nx/devkit 21.5.0, 20.9.0 @nx/enterprise-cloud 3.2.0 @nx/eslint 21.5.0 @nx/js 21.5.0, 20.9.0 @nx/key 3.2.0 @nx/node 21.5.0, 20.9.0 @nx/workspace 21.5.0, 20.9.0 The project maintainers said the root cause of the issue stemmed from a vulnerable workflow added on August 21, 2025, that introduced the ability to inject executable code using a specially crafted title in a pull request (PR). While the workflow was reverted in the "master" branch "almost…Read More