CVE-2025-10894: Malicious versions of Nx were published
(updated )
Malicious versions of the nx package, as well as some supporting plugin packages, were published to npm, containing code that scans the file system, collects credentials, and posts them to GitHub as a repo under user’s accounts.
References
- access.redhat.com/security/cve/CVE-2025-10894
- access.redhat.com/security/supply-chain-attacks-NPM-packages
- bugzilla.redhat.com/show_bug.cgi?id=2396282
- github.com/advisories/GHSA-cxm3-wv7p-598c
- github.com/nrwl/nx
- github.com/nrwl/nx/commit/3905475cfd0e0ea670e20c6a9eaeb768169dc33d
- github.com/nrwl/nx/issues/32522
- github.com/nrwl/nx/issues/32523
- github.com/nrwl/nx/pull/32458
- github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c
- nvd.nist.gov/vuln/detail/CVE-2025-10894
- www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware
- www.wiz.io/blog/s1ngularity-supply-chain-attack
- x.com/adnanthekhan/status/1958722939534417989
Code Behaviors & Features
Detect and mitigate CVE-2025-10894 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →