top of page
Search

The 's1ngularity' Attack: Weaponizing AI CLI Tools and How InvisiRisk Stops It

  • Writer: Pranesh Shrestha
    Pranesh Shrestha
  • Oct 21
  • 6 min read

Date of Attack: August 26, 2025

Impact: Credentials were stolen from over 1,400 build systems affecting over 300 organizations

 

The software supply chain is once again in the spotlight following the compromise of the popular nx build system on the NPM registry. Attackers published trojanized releases of the nx package (a project averaging ~4 million downloads per week). Those malicious builds were engineered to scan build machines for credentials, crypto wallets, and other high-value information. This stolen information was then exfiltrated by creating a new public repository and pushing the data out, cleverly concealed within the normal build process.


The malicious nx package contained a postinstall script that went far beyond normal behavior; it scanned developers’ local file systems for text files, extracted credentials and other sensitive information, and then exfiltrated the data by creating a new public GitHub repository under the victim’s own account. These repos, typically named with “s1ngularity-repository,” have since been archived or removed by GitHub, but any credentials posted there were likely exposed while the repos were public. The script also tampered with startup configuration files like $HOME/.zshrc and $HOME/.bashrc, inserting a sudo shutdown -h 0 command that would trigger an immediate system shutdown if the user entered their password. While the attack could be triggered through a direct npm install, as npm automatically runs any postinstall script that comes bundled inside that package itself. It could also occur indirectly through transitive dependencies, automated scripts, or even AI coding assistants performing dependency installations, making the compromise stealthy, widespread, and deeply integrated into modern development workflows.


In a groundbreaking and alarming twist, the malicious nx package also embedded instructions/prompts for AI coding assistants such as those from Claude and Gemini directly into the attack chain. The result was that these assistants were repurposed by the malware to harvest additional secrets, perform reconnaissance on the compromised environment, and help exfiltrate the stolen data. This marked a first-of-its-kind tactic in supply chain attacks, where trusted AI tools themselves became instruments of the breach.


This incident, dubbed the “s1ngularity” attack, is a stark reminder that even the most trusted development tools can be turned into attack vectors. It highlights a critical security gap that traditional static scanning tools miss. Relying solely on scanning code at rest is no longer enough. Proactive, real-time defense within the CI/CD pipeline is essential. InvisiRiskprovides this crucial layer of security, using robust default policies to identify and block malicious activities like the nx compromise before data is ever exfiltrated.

 

How the 's1ngularity' Attack Works

The attack was dangerously subtle, exploiting the trust developers place in their build tools. It followed a clear, multi-stage process to turn a routine software build into a data heist.

 

  1. Initial Compromise: The attackers published malicious versions of legitimate, widely used nx packages to the public NPM registry. Developers, following standard procedures or guided by AI coding assistants, would unknowingly install these compromised packages as dependencies in their projects.

  2. Malicious Execution: During the build process, the malicious code hidden within the compromised package would execute on the developer's machine or within the CI/CD runner. This code was engineered to be a silent data scavenger.

  3. Data Harvesting: Once active, the script scoured the system for a wide range of sensitive information. This included credentials like API keys and tokens from environment variables, private SSH keys, .env variables, cryptocurrency wallet files, and data from browsers. Even abusing locally installed AI assistant CLIs to help in reconnaissance marking it as one of the first usage of AI tools as an attack vector.

  4. Covert Exfiltration: The stolen data was triple-base64 encoded to obscure its contents and written to a file named results.b64. To expose the secrets, the script would initialize a new local Git repository named "s1ngularity-…,"add the results.b64 file, and make the repository public. This final step, hidden among countless other build commands, allowed the attackers to steal valuable information without raising immediate alarms.


Figure: Rouge Repository “s1ngularity-repository-...” Created.
Figure: Rouge Repository “s1ngularity-repository-...” Created.

How InvisiRisk BAF Protects Your Build Pipeline

Static scanners would not catch this because the malicious action isn't in the committed code; it's executed dynamically. InvisiRisk is designed specifically to defend against these threats.

 

Default Policy Enforcement: Blocking Unauthorized Actions

InvisiRisk Build Application Firewall (BAF) comes with a strong set of default security policies designed to enforce expected behavior during a build. The "Unauthorized PUT" policy would have been a primary line of defense against the nx attack.  


Figure: InvisiRisk BAF blocking unauthorized actions.
Figure: InvisiRisk BAF blocking unauthorized actions.

A typical build process is meant to fetch dependencies and create artifacts; it should almost never need to push code to a repository, especially not a new, unknown one.  

 

  • When the malicious script attempted to PUT the results.b64 file to the "s1ngularity-repository..." repository, BAF's policy would have immediately intervened.  

  • The BAF would recognize this PUT operation as an unauthorized and unexpected action during a build and block it by default.  

 

This single policy stops the exfiltration cold. The attacker's script may run, but the stolen data never leaves the build environment.

 

Cooling Off the Supply Chain: Using Policy-Driven Delays to Thwart Malicious Releases

Software supply chain attacks like the nx “s1ngularity” incident spread quickly because new packages are often downloaded and deployed automatically. When malicious versions are published, they can reach thousands of developers before being detected and removed, often within just 24 to 48 hours. One effective strategy to reduce this risk is to delay the adoption of newly released packages when updates aren’t immediately required. InvisiRisk BAF’s Stability Buffer Period allows you to enforce a safety window before any new package version enters your build pipeline. Using our custom Rego policy framework, you can easily define rules that block or flag NPM packages published within a configurable timeframe (for example, less than two days old). This gives organizations time to validate new releases without slowing down necessary updates. InvisiRisk BAF makes this fully customizable, allowing teams to tune the buffer period per ecosystem or project, combine it with the IR Score for contextual risk evaluation, and continuously adapt their defenses as threat patterns evolve.


Figure: Custom Rego Policy Blocking Recently Released Package.
Figure: Custom Rego Policy Blocking Recently Released Package.

Build Visualization: Seeing the Attack as It Happens

Our Build Visualization feature provides a dynamic, real-time map of all network activity within your build environment. It traces every connection to its source, offering an intuitive graphical view that immediately flags policy violations, vulnerabilities, and other anomalies. This allows your team to gain a deeper understanding of your build's dependency chain and overall security health, enabling you to address threats before they escalate. For instance, the visualization would instantly expose the suspicious outbound API calls to api.github.com.


Figure: Build Visualization.
Figure: Build Visualization.

nx “s1ngularity” Attack: Key Information

Date of Attack:

  • The attack occurred on August 26, 2025. Malicious versions of nx packages were published to npm and remained active for about 8 hours before removal.

  • Scope of Impact:

  • Over 1,400 build systems were compromised, resulting in the theft of credentials (GitHub tokens, npm keys, SSH keys, AI tool credentials).

  • A second wave of attacks used stolen tokens to make 5,000 repositories public, with over 300 organizationsaffected.

  • The breach affected both developer endpoints and CI/CD pipelines, including GitHub Actions and VSCode extensions.

  • Resolution:

  • All malicious nx package versions were removed from npm within hours, so new versions downloaded from npm should be safe to use. However, old malicious nx versions should be removed (rm -rf node_modules && npm cache clean --force).

  • Remove or make the affected exposed repositories private to stop further exposure.

  • Monitor and Review logs for any anomalous behaviors such as suspicious API calls, unexpected endpoints and rouge child processes.

  • Make sure to revoke and rotate secrets from the affected repositories.

  • For further details about this attack, team of nx has released a notification, including a detailed timeline: Malicious versions of Nx and some supporting plugins were published · Advisory · nrwl/nx


Conclusion: Secure Your Builds at Runtime 

The nx 's1ngularity' attack is a powerful reminder that supply chain security requires more than just scanning dependencies. Malicious actors are actively targeting the dynamic, complex environment of the CI/CD pipeline itself. Relying on reactive measures or tools that only look at static code leaves your organization vulnerable to data theft.

 

InvisiRisk provides the proactive, real-time defense needed to secure the modern software development lifecycle. By enforcing granular policies that block unauthorized actions, InvisiRisk ensures that your build pipeline cannot be turned into an exfiltration channel. Don't wait for a compromised dependency to become a data breach.

Comments

Legal

© 2025 by InvisiRisk, Inc.

  • Twitter
  • LinkedIn
bottom of page