Supply-Chain Attack on Popular Nx Package Suite

The malware was only executed on Linux and MacOS systems, where it was looking to steal sensitive files such as SSH keys, .env-files, wallets and keystores while also extracting credentials such as GitHub authentication tokens and NPMRC-files. Reportedly[1], the malware also attempted to lock out users by running “sudo shutdown -h 0”, this command effectively shuts down new terminal sessions.

When the sensitive information has been harvested by the script, the data collection stage begins. This is done by exploiting locally installed AI assistant CLIs to and get them to bypass their security boundaries. This is done by the script through prompting the AI assistant with these flags:

--dangerously-skip-permissions
--yolo
--trust-all-tools

This technique forces the AI tools to recursively scan the filesystem and has been observed to write discovered sensitive file paths to /tmp/inventory.txt, effectively using legitimate tools as accomplices in the attack.

When the data collection stage is completed, the malware exfiltrates the data through GitHub. The malware:

— Creates a public GitHub repository named “s1ngularity-repository” using stolen GitHub tokens. A few compromised packages add numerical suffixes such as “-0”, “-1” after this repository name.

— Triple-base64 encodes all collected data

— Uploads the encoded data to results.b64 in the newly created repository

— Makes the repository publicly accessible, exposing sensitive data

Affected Products

— Nx build system npm package (@nrwl/nx, nx) in the following versions: 20.9.0, 20.10.0, 20.11.0, 20.12.0, 21.5.0, 21.6.0, 21.7.0, 21.8.0

— @nx/devkit in versions: 21.5.0, 20.9.0
— @nx/enterprise-cloud version 3.2.0
— @nx/eslint version 21.5.0
— @nx/js in versions: 21.5.0, 20.9.0
— @nx/key version 3.2.0
— @nx/node in versions 21.5.0, 20.9.0
— @nx/workspace in versions 21.5.0, 20.9.0

Recommended Actions

To see if you have been affected:

— Check for any evidence of GitHub repos created within your organization and user accounts named s1ngularity-repository, s1ngularity-repository-0, or s1ngularity-repository-1 (note that since GitHub have disabled these repositories, they won’t show up in search).
— Review GitHub audit logs for anomalous API usage.
–Monitor developer endpoints and CI/CD pipelines for suspicious API calls and unexpected child processes.

For immediate remediation[1]:

— Remove malicious Nx versions (rm -rf node_modules && npm cache clean –force).
— Upgrade to a clean release (Nx have removed the malicious versions, so any current version sourced from NPM can be considered safe).
— Manually review and remove malicious shell entries from ~/.bashrc and ~/.zshrc.
— Delete /tmp/inventory.txt and .bak if present.
— Revoke and regenerate all GitHub tokens, npm tokens, SSH keys, API keys, and environment variable secrets that may have been leaked in these repositories.
— Transfer cryptocurrency funds to new wallets immediately if exposed (as wallets themselves cannot be rotated).

Truesec recommends that you disable “postinstall” to reduce the risks of being exploited by a malware such as this.

Furthermore, to minimize the risk of supply chain attacks from code packages, you must know what software you’re using. Leverage software composition analysis and software bills of materials to inventory your third-party software use.

For sensitive projects, consider introducing a “quarantine” of packages that aren’t immediately needed. The packages should still be reasonably up to date so they can receive security fixes, but integration can often be delayed by a few days.

Follow the principle of least privilege and use separate accounts for development work and privileges admin work. Use dedicated workstations, Privileged Admin Workstations (PAWWs), for all privileged, administrative, and developer access.

Implement one or more multiple Server Admin groups to ensure that someone with one Server Admin account can’t jump around to all servers and deploy ransomware. IT developers are usually entrusted with some of the highest privileges and protecting admin identities is the core of cybersecurity.

If you require assistance in implementing these principles and best practices or tailoring them to your specific environment, please do not hesitate to contact Truesec for expert support.

For further reading on the subject, see these blog posts:
https://www.truesec.com/hub/blog/secure-your-software-supply-chain-trusting-3rd-parties https://www.truesec.com/hub/blog/supplychain-attacks-targeting-popular-code-packages https://www.truesec.com/hub/blog/avoiding-supply-chain-attacks-similar-to-solarwinds-orions-sunburst

References

[1] https://www.wiz.io/blog/s1ngularity-supply-chain-attack https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware