Nx compromised: malware uses Claude code CLI to explore the filesystem

Summary

At least 1.4k people are learning today that they have a new repository prefixed by s1ngularity-repository in their GitHub account. This repository was created by a malicious post-install command discovered in the popular nx build kit. That malware steals wallets and API keys (`.npmrc`, env variables, etc.) and pushes them in that repository in the results.b64 file. Interestingly, the malware checks for the presence of Claude Code CLI or Gemini CLI on the system to offload much of the fingerprintable code to a prompt.Ongoing Security Alert: Investigation and remediation continues as new information becomes available. Check back for updates. Last updated 2025-08-27 12:00 UTCTL;DR What You Should Do NowAre you impacted?Check your Github organization for evidence of compromise: https://github.com/search?q=org%3A%3CYOURORG%3E+s1ngularity-repository&type=repositories ; check regularly.Are you using a compromised version of nx?Run semgrep --config r/oqUk5lJ/semgrep.ssc-mal-resp-2025-08-nx-build-compromised to find if any of your packages are using a vulnerable version of nx.Alternatively, you can run nx –version or check your lockfile to see if you are running one of the impacted versions of nx: 21.5.0 - v21.8.0v20.6.0 – v20.12.0These have been removed from npm already.What to do?Log into your GitHub account and check to see if a repository with a name starting with s1ngularity-repository exists. Update nx to the latest safe versions 21.4.1 (the impacted versions have already been removed from npm).Copy then delete the repository from your GitHub account.Now, you need to rotate the secrets that were part of the dump.a) Unfortunately, the dump is very wide, from crypto wallets to API keys.b) Rotate tokens/credentials for github, npm, and any ssh keys or env variables you may have had leaked.Look in the shell files (bashrc, etc.) for the shutdown directive and remove it.What Is NXNx is a popular build system that is designed to handle large codebases by managing multiple pr...