A supply chain attack known as “s1ngularity” has targeted Nx versions 20.9.0-21.8.0, leading to the theft of thousands of developer credentials. The attack primarily focused on macOS systems and AI tools, as outlined in an analysis by GitGuardian.
On August 26, 2025, a significant cyberattack dubbed the “s1ngularity” was launched against Nx, a widely utilized build platform among software developers. This breach exemplifies a supply chain attack, a methodology where cybercriminals embed malicious code into commonly used software, effectively compromising all users of that platform.
The breach was orchestrated to capture a range of sensitive information, including GitHub tokens, npm authentication keys, and SSH private keys—each serving as vital digital credentials for accessing user accounts and systems. This extensive data theft underscores the vulnerabilities present in software supply chains.
The attackers went further by targeting API keys related to emerging AI services such as Gemini, Claude, and Q, reflecting a troubling trend towards exploiting advanced technologies. In addition to harvesting sensitive information, the malicious software deployed a destructive payload that altered terminal startup files, resulting in crashes during users’ terminal sessions.
According to GitGuardian’s investigation shared with Hackread.com, approximately 85% of the compromised systems operated on macOS, emphasizing the attack’s disproportionate impact on developers who predominantly use Apple devices. Analysis revealed that the attackers managed to create 1,346 repositories on GitHub to store the stolen data.
In an interesting development, many AI clients that were targeted displayed resistance to the attackers’ malicious commands, either rejecting them outright or responding in a manner suggesting awareness of the illegitimacy of the requests. This unexpected resilience may hint at an inadvertent higher level of security within these emerging technologies.
The stolen credentials covered a broad spectrum, with GitGuardian’s monitoring platform cataloging 2,349 unique secrets among the repositories discovered, over 1,000 of which were still operational at the time of their findings. Notably, the most frequently compromised credentials were associated with GitHub and popular AI platforms. To evade detection, attackers employed a technique of double-encoding the stolen data prior to uploading, a tactic that contributed to the significant discrepancy between the discovered repositories and those publicly visible on GitHub, which the platform promptly worked to remove.
For users who have utilized affected Nx versions 20.9.0 through 21.8.0, it is imperative to operate under the assumption that their credentials have been compromised. GitGuardian has introduced a complimentary service that enables developers to verify whether their credentials have been exposed without compromising their actual keys.
This incident serves as a critical reminder that mere deletion of compromised files is insufficient; it is essential for affected users to revoke and rotate their secret keys and tokens to thwart any potential further access by malicious actors. In light of this incident, understanding the tactics involved—such as initial access and credential access as characterized by the MITRE ATT&CK framework—can provide valuable insights into strengthening defenses against similar future threats.
