Описание
Duplicate Advisory: Malicious versions of Nx were published
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-cxm3-wv7p-598c. This link is maintained to preserve external references.
Original Description
Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts.
Ссылки
- https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c
- https://nvd.nist.gov/vuln/detail/CVE-2025-10894
- https://access.redhat.com/security/cve/CVE-2025-10894
- https://access.redhat.com/security/supply-chain-attacks-NPM-packages
- https://bugzilla.redhat.com/show_bug.cgi?id=2396282
- https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware
- https://www.wiz.io/blog/s1ngularity-supply-chain-attack
Пакеты
Наименование
nx
npm
Затронутые версииВерсия исправления
= 21.5.0
Отсутствует
9.6 Critical
CVSS3
Дефекты
CWE-506
9.6 Critical
CVSS3
Дефекты
CWE-506