{"id":2543,"date":"2025-08-29T13:52:36","date_gmt":"2025-08-29T13:52:36","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/08\/29\/npm-package-hijacked-to-steal-data-and-crypto-via-ai-powered-malware\/"},"modified":"2025-08-29T13:52:36","modified_gmt":"2025-08-29T13:52:36","slug":"npm-package-hijacked-to-steal-data-and-crypto-via-ai-powered-malware","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/08\/29\/npm-package-hijacked-to-steal-data-and-crypto-via-ai-powered-malware\/","title":{"rendered":"Npm Package Hijacked to Steal Data and Crypto via AI-Powered Malware"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>A threat actor released malicious updates on the npm package repository for components of a tool popular among developers intending to steal cryptocurrencies and key developer data.<\/p>\n<p>According to a report by StepSecurity, the attack started in the morning of August 26, when version 21.5.0 of Nx was released to the npm registry.<\/p>\n<p>Nx is an open-source build platform widely used by developers to automate and streamline code testing, building and deployment workflows.<\/p>\n<p>Version 21.5.0 of Nx was compromised with data-stealing malware. Seven other versions of Nx that were released over the next hours and the next day were also infected.<\/p>\n<h2><strong>AI-Assisted Attack: Nx Infections Leak Secrets via Victim-Owned Repos<\/strong><\/h2>\n<p>The compromised Nx versions included a malicious script designed to exploit local AI command-line interface (CLI) tools, which used large language models, such as Anthropic\u2019s Claude, Google\u2019s Gemini and the Amazon Q coding assistant, by injecting a crafted prompt that forced these agents to scan the infected system for sensitive files.<\/p>\n<p>The targets included GitHub and npm tokens, SSH keys, environment variable secrets (like .env files) and cryptocurrency wallet data.<\/p>\n<p>Once collected, the stolen information was encoded and saved into a single file.<\/p>\n<p>The script then abused the GitHub application programming interface (API) to automatically create a new public repository under the victim\u2019s own account using the naming pattern \u201cs1ngularity-repository-\u201c where the stolen data was uploaded.<\/p>\n<p>This method eliminated the need for an external command-and-control (C2) server, instead leveraging the victim\u2019s own infrastructure to host the exfiltrated files, which could later be harvested by the attacker while minimizing direct traceability.<\/p>\n<p>Additionally, the malware changed the user\u2019s shell configuration files (~\/.bashrc and ~\/.zshrc) to insert a shutdown command, ensuring the developer\u2019s machine would reboot every time a new terminal session started. This move was likely intended to enhance persistence of the infection or disrupt forensic analysis.<\/p>\n<p>The predictable repository naming convention made the stolen data easily identifiable on GitHub, though it also left a trail that might expose the attacker\u2019s collection method.<\/p>\n<p>By avoiding third-party servers entirely, the attack relied on the victim\u2019s own accounts to store and transmit the loot, a tactic that complicates attribution but also increases the risk of detection.<\/p>\n<p>StepSecurity said that the popularity of Nx tools meant users identified the attack quickly and the eight malicious package versions remained live only for five hours and 20 minutes before being taken down.<\/p>\n<p>\u201cIn that short window, thousands of developers may have been exposed,\u201d the report said.<\/p>\n<h2><strong>Second Wave of Attack: GitHub CLI OAuth Tokens on High Alert<\/strong><\/h2>\n<p>The StepSecurity report warned of a second wave of attacks stemming from the Nx credential leaks, first disclosed by Brian Kohan, a software architect at the NASA Jet Propulsion Laboratory, and Adnan Khan, a security engineer and researcher on August 28.<\/p>\n<p>In this new wave, attackers started weaponizing stolen credentials to expose and duplicate private organizational repositories, thus escalating the breach\u2019s impact.<\/p>\n<p>The attack follows a two-stage approach:<\/p>\n<ol>\n<li>First, threat actors rename private repositories to follow the pattern s1ngularity-repository-{random-string} before forcibly converting them to public access, exposing sensitive code and secrets<\/li>\n<li>Second, they fork these repositories into compromised user accounts, ensuring the stolen data remains accessible even if the original repositories are later secured<\/li>\n<\/ol>\n<p>Thousands of such repositories have now surfaced on GitHub. The attack disproportionately targets GitHub CLI OAuth tokens, which provide attackers with prolonged access, amplifying the risk of persistent exploitation.<\/p>\n<h2><strong>Infection Assessment and Mitigation and Remediation Recommendations<\/strong><\/h2>\n<p>The StepSecurity researchers said these attacks mark a \u201cnew frontier in supply chain attacks.\u201d<\/p>\n<p>\u201cThis is the first known case where malware harnessed developer-facing AI CLI tools &#8211; turning trusted AI\u00a0LLM\u00a0assistants into reconnaissance and exfiltration agents,\u201d they wrote.<\/p>\n<p>People who want to know if they or their organization have been affected can use the following GitHub query and replace \u2018acmeinc\u2019 with their GitHub organization name: https:\/\/github.com\/search?q=is%3Aname+s1ngularity-repository+org%3Aacme&#038;type=repositories&#038;s=updated&#038;o=desc<\/p>\n<p>For those who have been impacted, the StepSecurity researchers recommended following these steps:<\/p>\n<ol>\n<li>Make any exposed organization repositories private again<\/li>\n<li>Disconnect affected user(s) from the organization while mitigating this issue<\/li>\n<li>Revoke all access tokens for each affected user, including installed apps, authorized apps, OAuth tokens (especially GitHub CLI tokens), SSH keys and GPG keys<\/li>\n<li>Delete any forked repositories from affected user accounts that may contain sensitive organizational data<\/li>\n<\/ol>\n<p>StepSecurity also provided a comprehensive remediation plan users can follow.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A threat actor released malicious updates on the npm package repository for components of a tool popular among developers intending to steal cryptocurrencies and key developer data. According to a report by StepSecurity, the attack started in the morning of August 26, when version 21.5.0 of Nx was released to the npm registry. Nx is<\/p>\n","protected":false},"author":2,"featured_media":2544,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2543","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2543-ddf118e5-29de-43e9-b521-27b7f70a9f40.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2543-ddf118e5-29de-43e9-b521-27b7f70a9f40-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2543-ddf118e5-29de-43e9-b521-27b7f70a9f40.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2543-ddf118e5-29de-43e9-b521-27b7f70a9f40.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2543-ddf118e5-29de-43e9-b521-27b7f70a9f40.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2543-ddf118e5-29de-43e9-b521-27b7f70a9f40.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2543-ddf118e5-29de-43e9-b521-27b7f70a9f40.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2543-ddf118e5-29de-43e9-b521-27b7f70a9f40.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2543-ddf118e5-29de-43e9-b521-27b7f70a9f40.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2543-ddf118e5-29de-43e9-b521-27b7f70a9f40.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2543-ddf118e5-29de-43e9-b521-27b7f70a9f40-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"http:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2543","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=2543"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2543\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/2544"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=2543"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=2543"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=2543"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}