A sophisticated supply chain attack, dubbed “s1ngularity,” has resulted in the compromise of 2,180 GitHub accounts and the exposure of secrets from 7,200 repositories1. The attack, which began on August 26, 2025, targeted the popular Nx monorepo management tool, a critical component in modern development workflows with over 5.5 million weekly downloads on the NPM registry1. Investigations into the incident have revealed a multi-phase operation that leveraged AI-powered malware to harvest credentials on an unprecedented scale, marking a significant evolution in automated cyber threats.
The initial compromise was achieved by exploiting a flawed GitHub Actions workflow, specifically the `pull_request_target` event, within the official Nx repository1. This exploit allowed the attackers to execute arbitrary code, which they used to publish a malicious version of the Nx package to the NPM registry. This tainted package contained a post-install script named `telemetry.js`, which served as the primary payload for the subsequent credential harvesting campaign1. The script was designed to target Linux and macOS systems, systematically searching for and exfiltrating GitHub tokens, npm tokens, SSH keys, `.env` files, and cryptocurrency wallets.
The AI Component and Attack Methodology
The defining characteristic of the s1ngularity attack was its use of artificial intelligence to enhance the effectiveness of its credential harvesting. The `telemetry.js` malware was programmed to check for the presence of popular AI command-line tools, including Claude, Q, and Gemini, on the infected developer’s machine1. If found, the malware would use these tools to execute Large Language Model (LLM) prompts designed to locate sensitive files and credentials more efficiently than conventional scripting. The attackers actively refined these prompts throughout the attack campaign, employing techniques like “role-prompting”—instructing the AI to act as a penetration tester—in an attempt to bypass any built-in AI safeguards against malicious use1. All stolen data was uploaded to public GitHub repositories controlled by the attackers, which were aptly named “s1ngularity-repository.”
Phases of the Attack and Escalating Impact
The operation unfolded in three distinct phases, each demonstrating an escalation in both ambition and impact. The first phase, occurring on August 26-27, involved the initial deployment of the backdoored Nx package. This directly impacted approximately 1,700 users, resulting in the leak of over 2,000 unique secrets and 20,000 files from their infected development environments1. The second phase began on August 28-29, where the attackers pivoted from software-based theft to active repository manipulation. Using the stolen GitHub account tokens, they gained access to victim accounts and made 6,700 private repositories public. These repositories were often renamed to include the word ‘s1ngularity,’ compromising an additional 480 accounts, many of which belonged to organizations1. A third, more targeted phase began around August 31, where the attackers focused on a single victim organization, using two compromised accounts to publish 500 more private repositories.
Response and Mitigation Efforts
The response to the incident involved coordinated efforts from GitHub and the Nx maintainers. GitHub’s security team took down the attacker’s repositories used for exfiltration within approximately eight hours of detection, though by this time, a significant amount of data had already been copied1. The Nx team published a detailed root cause analysis, assigned CVE GHSA-cxm3-wv7p-598c, and took several critical steps to secure their project1. These steps included the immediate removal of the malicious packages from NPM, the revocation and rotation of all potentially compromised internal tokens, and the enforcement of two-factor authentication (2FA) for all accounts with publishing rights. Most significantly, the team adopted NPM’s new Trusted Publisher model, which uses OpenID Connect (OIDC) to eliminate the risk associated with long-lived authentication tokens, and implemented a manual approval step for all workflows triggered by pull requests to prevent a recurrence of this specific exploit1.
Ongoing Risks and Strategic Implications
Despite these mitigation efforts, the cybersecurity firm Wiz, which provided a post-incident evaluation, has emphasized that the scope of the incident remains significant1. A large number of the leaked secrets, including API keys, access tokens, and other credentials, were still valid at the time of analysis. This means the full effect of the attack is still unfolding, as attackers potentially retain ongoing access to systems and services. The s1ngularity attack serves as a stark reminder of the systemic risks inherent in modern software supply chains, where a compromise of a widely-used tool can have a cascading effect across thousands of organizations and projects. The innovative use of AI tools to augment malicious automation also sets a concerning precedent for future attacks.
This incident underscores the critical need for robust security practices around CI/CD pipelines and open-source dependencies. Organizations are advised to conduct an immediate audit of any systems that may have installed the Nx package during the attack window, rotate all potentially exposed credentials, and review access logs for suspicious activity. For security professionals, the attack highlights the importance of monitoring for unusual repository permission changes, such as private repositories being suddenly made public, as this can be a key indicator of a compromised account being used for further exploitation.
References
- B. Toulas, “AI-powered malware hit 2,180 GitHub accounts in ‘s1ngularity’ attack,” BleepingComputer, Sep. 6, 2025. [Online]. Available: https://www.bleepingcomputer.com/news/security/ai-powered-malware-hit-2-180-github-accounts-in-s1ngularity-attack/
- @BleepinComputer, “Promotion of the primary article by Bill Toulas,” X (Twitter), Sep. 6, 2025. [Online]. Available: https://x.com/BleepinComputer/status/1964330845906350572
- “Bill Toulas,” BleepingComputer. [Online]. Available: https://www.bleepingcomputer.com/author/bill-toulas/
- “s1ngularity’s aftermath,” Wiz. [Online]. Available: https://www.wiz.io/blog/s1ngularitys-aftermath
- “GHSA-cxm3-wv7p-598c,” GitHub Advisory Database. [Online]. Available: https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c
