Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| nx(npm) | N/A | N/A | N/A |
| @nx/key(npm) | N/A | N/A | N/A |
| @nx/enterprise-cloud(npm) | N/A | N/A | N/A |
| @nx/devkit(npm) | N/A | N/A | N/A |
| @nx/js(npm) | N/A | N/A | N/A |
| @nx/workspace(npm) | N/A | N/A | N/A |
| @nx/eslint(npm) | N/A | N/A | N/A |
| @nx/node(npm) | N/A | N/A | N/A |
| nx(npm) | N/A | N/A | N/A |
| nx(npm) | N/A | N/A | N/A |
| nx(npm) | N/A | N/A | N/A |
| nx(npm) | N/A | N/A | N/A |
| nx(npm) | N/A | N/A | N/A |
| nx(npm) | N/A | N/A | N/A |
| nx(npm) | N/A | N/A | N/A |
| @nx/node(npm) | N/A | N/A | N/A |
| @nx/devkit(npm) | N/A | N/A | N/A |
| @nx/js(npm) | N/A | N/A | N/A |
| @nx/workspace(npm) | N/A | N/A | N/A |
CVSS Metrics
