NX Build Tool Malware Targets Claude and Gemini Wallets

NX Build Tool Compromised by Malware Targeting Claude or Gemini to Access Wallets and Sensitive Information

Last updated on August 28, 2025August 29, 2025 by RS Web Solutions on Categories Internet & Cybersecurity

Table of Contents

Malicious Software Compromises GitHub Accounts of 1,400 Developers

In a disconcerting revelation, over 1,400 developers found themselves ensnared by a nefarious post-install script embedded within the widely utilized NX build tool. This harmful script unobtrusively generated a repository titled s1ngularity-repository within their GitHub accounts.

This repository is believed to harbor a base64-encoded cache of critical data, including wallet files, API keys, .npmrc credentials, environmental variables, and other sensitive information illicitly extracted from developers’ file systems.

Key Takeaways
1. Malware within the NX build tool pilfers credentials and creates GitHub repositories.
2. It targets Claude and Gemini CLIs for sophisticated data exfiltration.
3. Immediate actions: Delete dubious repositories, update NX, and rotate sensitive credentials.

AI-Driven Data Exfiltration Mechanism

Reports from Semgrep detail how assailants capitalized on the NX post-install hook via a file known as telemetry.jsexecuting malicious code promptly after the package installation concluded.

The malware initially gathers environmental variables and seeks to unearth a GitHub authentication token through the GitHub CLI. Once armed with the requisite credentials, it subsequently creates a public repository, typically labeled s1ngularity-repository-0, where the illicit data is logged in a file named results.b64.

What distinguishes this campaign is its innovative incorporation of the Claude Code CLI or Gemini CLI. Should either AI-enhanced CLI be installed, the malware issues a meticulously designed prompt to execute fingerprintable filesystem scans:

This AI-centric tactic shifts substantial responsibility for signature-based filesystem enumeration onto the LLM, obfuscating traditional malware detection methodologies.

Impacted NX Versions and Proposed Mitigations

@nx/devkit 21.5.0, 20.9.0
@nx/enterprise-cloud 3.2.0
@nx/eslint 21.5.0
@nx/key 3.2.0
@nx/node 21.5.0, 20.9.0
@nx/workspace 21.5.0, 20.9.0
@nx 20.9.0–20.12.0, 21.5.0–21.8.0

Developers utilizing any affected versions are urged to take the following actions immediately:

Verify for unauthorized repositories.
Eliminate any instances of s1ngularity-repository* discovered.
Upgrade NX to the secure version 21.4.1 (vulnerable versions have been purged from npm).
Rotate all compromised secrets: GitHub tokens, npm credentials, SSH keys, and environmental variables.
Eradicate malicious shutdown commands from shell startup files (e.g., .bashrc).

As the situation develops, organizations are strongly encouraged to observe repository creations and impose rigorous post-installation auditing protocols.

Find this Story Engaging! Connect with us on LinkedIn and X for Real-Time Updates.

Source link: Cybersecuritynews.com.

Disclosure: This article is for general information only and is based on publicly available sources. We aim for accuracy but can't guarantee it. The views expressed are the author's and may not reflect those of the publication. Some content was created with help from AI and reviewed by a human for clarity and accuracy. We value transparency and encourage readers to verify important details. This article may include affiliate links. If you buy something through them, we may earn a small commission — at no extra cost to you. All information is carefully selected and reviewed to ensure it's helpful and trustworthy.

Reported By

RS Web Solutions

We provide the best tutorials, reviews, and recommendations on all technology and open-source web-related topics. Surf our site to extend your knowledge base on the latest web trends.