On August 26, 2025, the software supply chain suffered a major breach when multiple malicious versions of the popular Nx build system were published to npm. Dubbed “s1ngularity,” this attack didn’t just steal secrets—it weaponized trusted AI tools and turned developer environments into data exfiltration pipelines.
Thousands of GitHub repositories were compromised, leaking sensitive credentials, cryptocurrency wallets, and cloud secrets. The malware operated silently, leveraging post-install scripts and AI command-line interfaces to harvest and upload data to attacker-controlled GitHub repos.
This is a wake-up call for every organization that relies on open-source packages in their CI/CD pipelines.
What Made s1ngularity Different?
Unlike traditional supply chain attacks, s1ngularity:
- Targeted AI CLI tools like Claude, Gemini, and Q, using dangerous flags (–yolo, –trust-all-tools) to bypass permissions.
- Executed post-install scripts that modified shell files (~/.bashrc, ~/.zshrc) to trigger system shutdowns.
- Exfiltrated data to public GitHub repos named s1ngularity-repository, making sensitive credentials trivially accessible.
- Impacted developer machines and CI/CD pipelines, including GitHub Actions and VSCode extensions.
Affected Packages
The following Nx packages were compromised:
| Package Name | Versions Impacted |
| nx, @nrwl/nx | 20.9.0 – 21.8.0 |
| @nx/devkit | 20.9.0, 21.5.0 |
| @nx/enterprise-cloud | 3.2.0 |
| @nx/eslint, @nx/js | 21.5.0, 20.9.0 |
| @nx/key, @nx/node | 3.2.0, 20.9.0, 21.5.0 |
| @nx/workspace | 20.9.0, 21.5.0 |
How OX Security Helps You Respond
OX Security is purpose-built to detect, respond to, and prevent supply chain attacks like s1ngularity. Here’s how:
1. Real-Time SBOM Monitoring
OX continuously monitors your Software Bill of Materials (SBOM) across all environments. If any of the compromised Nx versions are present, OX flags them immediately—whether in production, staging, or developer endpoints.
Use OX’s SBOM dashboard to identify and isolate malicious Nx packages instantly.
2. CI/CD Pipeline Protection
OX integrates directly into your CI/CD workflows to detect anomalous behavior:
- Unexpected post-install scripts
- Suspicious API calls to GitHub
- Unauthorized file access or shell modifications
OX can detect a malicious script that can potentially modify .bashrc or exfiltrate secrets.
3. Credential Exposure Detection
OX scans for leaked secrets across your repositories and build logs. If any GitHub tokens, SSH keys, or .env files are exposed, OX can trigger alerts and help you automate key and credential rotation workflows.
4. AI Tool Abuse Detection
OX now includes heuristics to detect misuse of AI CLI tools in developer environments. If flags like –dangerously-skip-permissions or –trust-all-tools are used, OX raises a high-severity alert.
OX’s AI-aware telemetry ensures that trusted tools aren’t turned into reconnaissance weapons.
Immediate Remediation Checklist
OX recommends the following steps for all affected organizations:
- Remove malicious Nx versions (rm -rf node_modules && npm cache clean –force)
- Upgrade to clean Nx releases
- Manually clean shell files and temp artifacts
- Audit GitHub for s1ngularity-repository* repos
- Rotate all exposed credentials
- Transfer crypto assets to new wallets
OX can automate many of these steps through remediation workflows and integrations with GitHub, npm, and cloud providers.
Preventing Supply Chain Attacks
The s1ngularity attack is an unfortunate reminder that supply chain threats are evolving—and that they now include AI-powered reconnaissance. OX Security is committed to staying ahead of these threats by:
- Expanding AI tool monitoring
- Enhancing SBOM intelligence
- Partnering with open-source maintainers to validate package integrity
Supply chain security isn’t just about prevention—it’s about visibility, speed, and trust. With OX, you get all three.
Want to see how OX can help you detect and respond to threats like s1ngularity? Request a demo today.
