Transcript
It weaponized local AI coding agents on developer machines to do the recon for it. Right now, you're likely thinking, oh no, am I impacted by this? And what should I do? By the end of this, you'll know what to do and have the confidence to take proper action. You'll understand what happened, how it happened, if you're impacted, and what you should do to protect yourself. And by the way, the last thing you should consider is something you might not have expected. So what happened? Between August 26th and 27th, eight malicious NX and NX Powerpack package releases were published to NPM across two version lines. They were live for roughly 5 hours and 20 minutes before being removed. Now that may not seem like a long time, so to understand the impact of all this, let's get an understanding of what NX is and what it does. NX is a popular build system and monorepo tool used widely across JavaScript and TypeScript projects with millions of weekly downloads, which means incidents like this can have a big blast radius. So this gives us an idea of what happened, but why does it stand out? Well, instead of relying solely on classic data theft, the malware's post-install payload attempted to invoke local AI coding agents, including Anthropic's Claude CLI, Google's Gemini CLI, and Amazon's QCLI. It did this using unsafe flags for those tools to bypass their guardrails. The end goal of all this was to inventory sensitive files and exfiltrate secrets off-host. As a result, the agents were prompted to recursively scan the file system and write a list of file paths to inventory.txt and a backup file. This is one of the first documented cases of malware coercing AI assistants CLIs for reconnaissance and exfiltration. So how did this payload work? Well, a script named telemetry.js ran on post-install. It set up a prompt to find high-value targets, SSH keys, .env files, wallet artifacts, tokens, and more. Then it tried multiple AI CLIs to produce the inventory file. From there, the malware attempted to harvest GitHub and NPM credentials and upload those results to a public GitHub repository named Singularity with a 1, repository, and then a number. Now you're probably wondering, well, what caused this? What made it possible to happen? It is believed that a compromised NPM token with publish rights was used to push the malicious versions out. Arguably, these versions lack provenance, highlighting the importance of adopting and forcing provenance across open-source supply chains. How it was executed was when developers ran npm install nx, the post-install script executed locally, performed the AI agent recon, and if possible, stole tokens and created a public repo under the victim's account to upload the loot. But that wasn't everything. It also had a destructive touch to it. As a disruptive side effect, the malware appended sudo shutdown-h 0 to both bash-rc and zshell configuration files, causing new shells to shut down immediately. That leads us to finding out which NX packages and versions are impacted by this. Well, NX versions that are impacted are between version 20 and 21, and affected NX plugins include examples like NXDevKit, NXJS, Workspace, Node, ESLint, and a few more. At the time of this recording, all malicious versions have been removed from the NPM registry so they can no longer be installed by users. However, you and your systems may have already installed the affected versions, so keep that in mind. Also, this is still a developing incident, so we at Snyk are tracking this incident via the following advisories that you see on screen. So be sure to make note of the ones that you are using that are impacted by this incident. I mentioned earlier there is one area you might not have considered, and that is VS Code extensions. In addition to the packages themselves from NX, the NX console VS Code extension is likely to be impacted, and users have already been reporting suspicions of compromise via this vector. So what should you do? Well, if you have reason to believe you installed or used any of these affected packages and extensions, do the following now. Check your GitHub account and organizations for repos named singularity-repository-a-number under your account. If you find one of those, act per your prod security or info security team guidance. You'll want to note the contents of the repository as an indicator of specific data that was impacted before taking further action on that repository. You want to rotate credentials that could be on the host, GitHub tokens, NPM tokens, SSH keys, and any API keys you might have in .env files. If the target repo was found in your account or org, start with the credentials you noted in the data of that repository. Next, you want to audit and clean your environment, again, following your prod security or info security team's guidelines. You'll want to identify NX usage across projects. Run npm ls nx and check package lock json files. If you find your projects affected by this, uninstall that dependency, then install nx at latest to get the unaffected version of the package. Snyk users can use Snyk open source and Snyk SBOM to locate and monitor projects org-wide. Last but not least, if AICLIs are installed on your machines, review shell history for dangerous flags like dangerously skip permissions, YOLO, or trust all tools. That'll give you an indicator of this attack being exploited on your machine. Speaking of indicators, some other indicators you can look out for on your file system is having that inventory.txt file or a .bak file. In addition to that, your shell configuration files having sudo shutdown-h0 tacked onto them. You can also look out for those new repositories being created under your accounts. And last but not least, you can check for API calls to api.github.com during npm install or GitHub auth token CLI invocations being run by that telemetry.js file. So why is this so significant? Well, this attack shows how helpful local AI agents can be for malicious actors. They're coerced into automated recon tools given the level of privilege and permissions they're granted. It's a sharp escalation in open source supply chain attacks and one of the first publicly documented instances of AI assistance CLIs being used this way. As a reminder, if you use NX, double check your versions, rotate sensitive credentials, and hunt for that singularity repository footprint right now. Full details and advisories along with updates as this incident evolves can be found in the sneak post linked below. That does it for this video. If you got value out of it, be sure to like it down below and share it with somebody who could put it to use. And if you made it this far, subscribe to the channel so you don't miss out on upcoming videos. Thanks for watching and happy, safe coding, everyone.
