CVE-2025-10894

Name of the Vulnerable Software and Affected Versions Nx versions 20.9.0 through 21.8.0 @nx/devkit versions 20.9.0 through 21.5.0 @nx/js versions 20.9.0 through 21.5.0 @nx/workspace versions 20.9.0 through 21.5.0 @nx/node versions 20.9.0 through 21.5.0 @nx/eslint version 21.5.0 @nx/key version 3.2.0 @nx/enterprise-cloud version 3.2.0

Description The Nx project and associated plugins were compromised through a vulnerable GitHub workflow that allowed code injection and the theft of an NPM token. This compromise resulted in malicious code being inserted into the packages, which scans the file system, collects credentials, and posts them to GitHub. The malicious code also attempts to modify the .zshrc and .bashrc files to execute a shutdown command. The root cause was a vulnerable workflow with a bash injection vulnerability and elevated permissions via the pull request target trigger, which allowed an attacker to obtain the NPM token and publish malicious versions of the packages. The compromised packages were published to the npm registry.

Recommendations For Nx versions 20.9.0 through 21.8.0, uninstall the affected versions and install the latest version. For @nx/devkit versions 20.9.0 through 21.5.0, uninstall the affected versions and install the latest version. For @nx/js versions 20.9.0 through 21.5.0, uninstall the affected versions and install the latest version. For @nx/workspace versions 20.9.0 through 21.5.0, uninstall the affected versions and install the latest version. For @nx/node versions 20.9.0 through 21.5.0, uninstall the affected versions and install the latest version. For @nx/eslint version 21.5.0, uninstall the affected version and install the latest version. For @nx/key version 3.2.0, uninstall the affected version and install the latest version. For @nx/enterprise-cloud version 3.2.0, uninstall the affected version and install the latest version. Rotate npm tokens. Rotate Github tokens. Change Github credentials. Check for a file at /tmp/inventory.txt and if present, consider the system compromised. Check GitHub account for repositories named with s1ngularity-repository and remove them.