GHSA-8mjq-32x3-22qf: Duplicate Advisory: Malicious versions of Nx were published
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-cxm3-wv7p-598c. This link is maintained to preserve external references.
Original Description
Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user’s accounts.
References
- access.redhat.com/security/cve/CVE-2025-10894
- access.redhat.com/security/supply-chain-attacks-NPM-packages
- bugzilla.redhat.com/show_bug.cgi?id=2396282
- github.com/advisories/GHSA-8mjq-32x3-22qf
- github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c
- nvd.nist.gov/vuln/detail/CVE-2025-10894
- www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware
- www.wiz.io/blog/s1ngularity-supply-chain-attack
Code Behaviors & Features
Detect and mitigate GHSA-8mjq-32x3-22qf with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →