CVE-2025-10894
Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts.
| Software | From | Fixed in |
|---|---|---|
nx
|
21.5.0 | 21.5.0.x |
|
@nx / key
|
3.2.0 | 3.2.0.x |
|
@nx / enterprise-cloud
|
3.2.0 | 3.2.0.x |
|
@nx / devkit
|
21.5.0 | 21.5.0.x |
|
@nx / js
|
21.5.0 | 21.5.0.x |
|
@nx / workspace
|
21.5.0 | 21.5.0.x |
|
@nx / eslint
|
21.5.0 | 21.5.0.x |
|
@nx / node
|
21.5.0 | 21.5.0.x |
|
nx
|
20.9.0 | 20.9.0.x |
|
nx
|
20.10.0 | 20.10.0.x |
|
nx
|
21.6.0 | 21.6.0.x |
|
nx
|
20.11.0 | 20.11.0.x |
|
nx
|
21.7.0 | 21.7.0.x |
|
nx
|
21.8.0 | 21.8.0.x |
|
nx
|
20.12.0 | 20.12.0.x |
|
@nx / node
|
20.9.0 | 20.9.0.x |
|
@nx / devkit
|
20.9.0 | 20.9.0.x |
|
@nx / js
|
20.9.0 | 20.9.0.x |
|
@nx / workspace
|
20.9.0 | 20.9.0.x |
- https://access.redhat.com/security/cve/CVE-2025-10894
- https://access.redhat.com/security/supply-chain-attacks-NPM-packages
- https://bugzilla.redhat.com/show_bug.cgi?id=2396282
- https://github.com/nrwl/nx/commit/3905475cfd0e0ea670e20c6a9eaeb768169dc33d
- https://github.com/nrwl/nx/issues/32522
- https://github.com/nrwl/nx/issues/32523
- https://github.com/nrwl/nx/pull/32458
- https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c
- https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware
- https://www.wiz.io/blog/s1ngularity-supply-chain-attack
- https://x.com/adnanthekhan/status/1958722939534417989
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime