Over 6,700 Private Repositories Made Public in Nx Supply Chain Attack – Source: www.securityweek.com

Hackers used the secrets stolen in the recent Nx supply chain attack to make public over 6,700 private repositories, cybersecurity firm Wiz says.

As part of the attack, dubbed s1ngularity, a threat actor used an NPM token for the Nx repository to publish eight malicious versions of the popular open source, technology-agnostic build platform.

These malicious Nx iterations contained a post-install script designed to execute a malicious telemetry.js file on Linux and macOS systems, to systematically search the machines for files containing API keys, GitHub tokens, NPM tokens, SSH keys, and cryptocurrency wallet data.

After harvesting files of interest, the malicious code encoded the data, created public GitHub repositories named ‘s1ngularity-repository’ (or variations containing numerical characters), and exfiltrated the data to them.

Now, Wiz says the malware also attempted to exfiltrate potentially sensitive files. The cybersecurity firm identified over 20,000 stolen files, impacting 225 distinct users.

The code also modified users’ shell startup files to crash the systems when new terminal windows were opened, and used AI‑assistant CLIs such as Claude and Gemini to perform reconnaissance and data exfiltration.

Security researchers identified more than 2,300 secrets leaked in such repositories, and Wiz says that more than 1,700 users had secrets leaked as part of the attack.

“Each of those users would have at least a GitHub token in the leaked data, as it was a prerequisite for the repository to be created,” Wiz explains.

The total number of users who downloaded the malicious Nx versions and executed the malware on their systems, however, is likely much higher, the cybersecurity firm says.

After the compromised NPM token was revoked, the malicious Nx packages removed from the repository, and the s1ngularity repositories removed from GitHub, however, the threat actors started a new phase of the attack.

During this second phase, the hackers used compromised secrets to access 480 accounts (including roughly 300 pertaining to organizations) and published over 6,700 private repositories publicly, using the s1ngularity-repository-#5letters# naming scheme.

“In one case, a single organization had over 700 repositories leaked. Wiz identified thousands of valid credentials in these formerly-private repositories. GitHub eventually removed these repositories as well,” Wiz notes.

Next, the threat actors used two compromised user accounts to publish over 500 repositories pertaining to a single organization. These repos had _bak as a name suffix and S1ngularity as the description.

Wiz also notes that, during the first phase of the attack, at least three distinct payloads were injected in the malicious Nx packages, which accounts for the distinct s1ngularity-repository naming variations observed in the attack.

While all three contained code for identifying popular AI CLIs, they used different prompts in their attempt to coerce the AI tools to search for sensitive data. According to Wiz, roughly half of all victims had an AI CLI installed, and AI exfiltrated data in less than 25% of cases.

“We saw under 100 unique valid secrets across 20,000 exfiltrated files. The majority of these secrets were for AI services (Langsmith, Anthropic, OpenAI), and cloud platforms (AWS, Azure, Vercel). We have yet to observe any successful cryptocurrency related exfiltration,” Wiz notes.

The cybersecurity firm also points out that the attackers transitioned the remote exfiltration from webhook.site, which was used to compromise Nx’s npm token, to only stealing data if the gh CLI was present and if a public repository on the victim account could be created.

“We believe that the attacker has optimized for their operational security. Both exfiltration mechanisms significantly limit their exposure, as they do not need to acquire any infrastructure. Webhook.site was useful in the initial compromise, but limits anonymous users to 100 records, requiring the attacker to use an alternative exfiltration mechanism given the large pool of victims,” Wiz notes.

The cybersecurity firm urges the affected users to hunt for indicators of compromise (IoCs), rotate all compromised secrets as soon as possible, and check their GitHub Audit Logs for the org_credential_authorization.deauthorize event, which is tied to GitHub’s mass revocation of compromised credentials.

Wiz also notes that roughly 100 unique NPM tokens (over 40% of the NPM tokens leaked in the first phase of the attack) are still valid. On the other hand, only 5% of the compromised GitHub tokens remain active.

Related: AI Supply Chain Attack Method Demonstrated Against Google, Microsoft Products

Related: Managing the Trust-Risk Equation in AI: Predicting Hallucinations Before They Strike

Related: Watch: How to Build Resilience Against Emerging Cyber Threats

Related: Nuclear Flash Cards: US Secrets Exposed on Learning Apps