This supply chain attack combines credential theft, environmental sabotage, and novel attack vectors, offering a glimpse into future threats. The malicious Nx packages systematically scanned infected systems for valuable credentials, including GitHub tokens, npm authentication keys, SSH private keys, environment variable API keys, and cryptocurrency wallet files. The scanning routines searched common file locations and environment variables, demonstrating a comprehensive approach to credential harvesting to facilitate lateral movement.
Once harvested, stolen credentials underwent a double-base64 encoding process before exfiltration to public GitHub repositories following a distinctive "s1ngularity-repository" naming pattern, each containing a single "results.b64" file with the encoded data. This encoding choice suggests an attempt to evade basic detection mechanisms while maintaining data integrity during the GitHub-based exfiltration process.
According to external research, the attackers also implemented destructive payloads that modified users' shell startup files (~/.bashrc and ~/.zshrc) with shutdown commands, creating systems that would crash when new terminal sessions were opened.
One particularly novel element was the attempt to leverage LLM (Large Language Model) clients as vectors for enumerating secrets on victims' machines. The attackers specifically targeted configuration files and authentication tokens related to popular AI CLI tools like Claude, Gemini, and Q, recognizing that these tools often require elevated permissions and access to sensitive development environments.
UPDATE: August 28, 2025
Our continued analysis of the Nx "s1ngularity" attack has revealed several details about both the attack methodology and victim demographics.
LLM Tool Prevalence
Of the compromised systems, 33% had at least one LLM client installed, confirming the attackers' prescient focus on AI development tools. This represents a significant adoption rate that validates the attackers' strategy of targeting this emerging attack surface.
LLM Compliance Resistance
of the 366 systems where LLM tools were targeted, only 95 actually wrote the requested /tmp/inventory.txt file. Our analysis suggests that many LLM clients refused to comply with the malicious requests, with some explicitly stating they wouldn't execute commands that appeared to be credential harvesting attempts. This unexpected defensive behavior from AI tools may represent an unintentional but valuable security control in the modern development stack.
85% of infected systems were running macOS
Analysis of the exfiltrated data reveals that 85% of infected systems were running macOS, highlighting the attack's particular impact on the developer community where Apple's platform dominates. This concentration suggests either targeted selection of the developer ecosystem or simply reflects the natural distribution of Nx users.
GitGuardian's Public Monitoring: What We Found
While most "s1ngularity-repository" exfiltration repos were rapidly deleted by GitHub, GitGuardian's monitoring infrastructure provides unique visibility into these ephemeral artifacts. Because GitGuardian sees everything that happens on GitHubâincluding deleted files, and repositoriesâwe were able to analyze the actual exfiltrated data, assess which secrets were exposed, and validate their status.
At the time of writing, our platform lists 1,346 repositories whose names contain the string âs1ngularity-repositoryâ. GitHub, meanwhile, lists only about ten repositories. This indicates two interesting things: the repositories are being deleted, and developers are continuing to use the vulnerable package.
Out of these repositories, we detected that 1,079 of them contain at least a secret leaked between August 27, 2025 at 00:32:48 and August 27, 2025 at 15:36:57.
In total, this represents 2,349 distinct secrets. The most common types of credentials we found correspond to GitHub, NPM, AWS, and OpenAI. They all appear to be related to nx's orchestration capabilities.
Half of these secrets were valid at the time of writing. The most numerous are GitHub OAuth App Keys. This result, surprising at first glance, is in fact linked to the functioning of nx, for which a GitHub application exists and facilitates interactions between NX Cloud and GitHub.
The fact that these secrets are still valid raises interesting questions on both the offensive and defensive sides.
First of all, it must be noted that exfiltration on GitHub is effective. At the height of the wave, nearly 1,400 repositories were publicly accessible via GitHub. It's a safe bet that the attacker retrieved them all in time before they were deleted, not to mention opportunistic attackers who took an interest in this leak. Our initial investigations indicate that they are now in a position to attack large companies whose infrastructure secrets, such as Artifactory, are at their mercy.
On the defensive side, we can only note the obvious delay in revoking the leaked secrets. While most of these secrets are no longer publicly accessible, they remain valid. It is highly likely that developers are unaware of the leaked secrets and have therefore not revoked them. Although we know the names of the repositories that leaked secrets, it is likely that they will never be revoked or rotated. To go beyond this analysis, our teams are mobilized to attribute these secrets to companies in order to make responsible disclosure.
From s1ngularity to Reality
A critical challenge emerges when developers discover exposed secrets, they often delete the files or commits containing the credentials but fail to revoke the actual secrets.
The Nx case is interesting because it shows unequivocally that simply deleting data is not enough. It is necessary to revoke the associated secrets. For a company, this means that it must now be able to inventory its secrets across all systems, automate rotation workflows at scale, and maintain comprehensive visibility into where credentials are usedânot just where they're stored.
The ability to rapidly detect exposure, validate impact, and execute coordinated revocation across thousands of non-human identities has become the new baseline for resilient software delivery in an era where supply chain attacks can weaponize leaked credentials within hours of discovery.
