Malicious versions of Nx and some supporting plugins were published

Summary

Summary Malicious versions of the nx package, as well as some supporting plugin packages, were published to npm, containing code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts. Affected Versions of nx 21.5.0 20.9.0 20.10.0 21.6.0 20.11.0 21.7.0 21.8.0 20.12.0 These versions have since been removed from NPM as of 10:44 PM EDT Affected Versions of @nx/devkit, @nx/js, @nx/workspace, @nx/node Affected Versions of @nx/eslint These versions have since been removed from NPM as of 10:44 PM EDT Affected Versions of @nx/key and @nx/enterprise-cloud These versions have since been removed from NPM as of 6:20 AM EDT Attack Vector At this time, we believe an npm token was compromised which had publish rights to the affected packages. Malicious Behavior Credentials published as a Github repo The compromised package contained a postinstall script that scanned user's file system for text files, collected paths, and credentials upon installing the package. This information was then posted as an encoded string to a github repo under the user's Github account. Modification to $HOME/.zshrc and $HOME/.bashrc The malicious postinstall script also modified the .zshrc and .bashrc which are run whenever a terminal is launched to include sudo shutdown -h 0 which prompt users for their system password and if provided, would shutdown the machine immediately. Timeline All of the following times are in EDT. August 26, 2025: 6:32 PM - v21.5.0 of nx, @nx/devkit, @nx/js, @nx/workspace, @nx/node and @nx/eslint was published, as well as v3.2.0 of @nx/key and @nx/enterprise-cloud 6:39 PM - v20.9.0 of nx, @nx/devkit, @nx/js, @nx/workspace, @nx/node was published 7:54 PM - v20.10.0 of only nx was published 7:54 PM - v21.6.0 of only nx was published 8:16 PM - v20.11.0 of only nx was published 8:17 PM - v21.7.0 of only nx was published 8:30 PM - A GitHub issue was posted alerting the team of the issue. 8:33 PM - Another GitHub issue was posted whi...