Nx NPM packages poisoned in AI-assisted supply chain attack www.theregister.com/2025/08/2…

Nx is the latest target of a software supply chain attack in the NPM ecosystem, with multiple malicious versions being uploaded to the NPM registry on Tuesday evening.

According to researchers at Wiz, those poisoned packages were laden with malware designed to siphon secrets from developers, such as GitHub and NPM tokens, SSH keys, and cryptocurrency wallet details.

Nx’s security advisory, posted to GitHub, which details the affected versions, states that successful credential harvesting then led to those credentials being posted to GitHub as new public-facing repos under the corresponding user accounts.

With a self-proclaimed 24 million NPM downloads per month, a successful supply chain attack on Nx, an open source codebase management platform, could in theory capture the details of myriad developers.