Nx Supply Chain Attack

CRITICAL (9.6)
cwe-506build-systemdata-stealing-malwarenpmnxsupply-chain-attack

Threat Intelligence

Low Risk
EPSS Score: 0.07% chance of exploitation (percentile: 21%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

The Nx is a popular build system for JavaScript and TypeScript applications. This vulnerability allows attackers to inject malicious code into the Nx package, which was then published to the npm software registry. As a result, affected versions of Nx can scan the file system, collect credentials, and post them to GitHub.

Am I affected?

You're affected if you use Malicious code was. Specific version info not stated in the advisory.

Affected Packages

npm: nx

How to fix

  1. Immediately update to Nx version 21.0.2 or later from the official GitHub repository: https://github.com/nrwl/nx/releases/tag/21.0.2
  2. Run npm install nx@latest in your terminal.
  3. If you can't upgrade immediately, restrict network access to your Nx instance (firewall it from the public internet) and monitor for unauthorized token creation.

References