CVE-2025-10894
Nx: nx/devkit: malicious versions of nx and plugins published to npm
Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Produtos afetados
nxnx/devkitnx/enterprise-cloudnx/eslintnx/jsnx/keynx/nodenx/workspaceRed Hat · Multicluster Global HubRed Hat · OpenShift ServerlessRed Hat · Red Hat Advanced Cluster Management for Kubernetes 2Red Hat · Red Hat Ansible Automation Platform 2Quer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →Referências
https://access.redhat.com/security/cve/CVE-2025-10894https://access.redhat.com/security/supply-chain-attacks-NPM-packageshttps://bugzilla.redhat.com/show_bug.cgi?id=2396282https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598chttps://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malwarehttps://www.wiz.io/blog/s1ngularity-supply-chain-attack