Nx Build System Package Supply Chain Attack Vulnerability

A supply chain attack has compromised the Nx build system package and several related plugins, including @nx/devkit, @nx/enterprise-cloud, @nx/eslint, @nx/js, @nx/key, @nx/node, and @nx/workspace. Malicious versions of these packages were published to the npm registry, containing a post-installation script that scanned the file system for sensitive information such as GitHub and npm tokens, SSH keys, and cryptocurrency wallet data. This stolen information was then uploaded to GitHub repositories created under the user's account.

Impact

The vulnerability led to the unauthorized collection and exfiltration of sensitive data, including GitHub and npm tokens, SSH keys, and cryptocurrency wallet information, which was uploaded to GitHub repositories created by the attacker.

Reproduction

The vulnerability can be reproduced by installing the compromised versions of the Nx package or its related plugins. The malicious code is triggered during the post-installation phase, executing a script that collects sensitive information and uploads it to a GitHub repository.

Remediation

Users should immediately uninstall the compromised versions of Nx and its related packages, clear the npm cache, and remove any malicious entries from the shell configuration files. Afterward, they can reinstall the packages from a safe version. Additionally, it's crucial to rotate any exposed credentials, such as GitHub and npm tokens, SSH keys, and cryptocurrency wallet information.