Critical severity9.6GHSA Advisory· Published Sep 24, 2025· Updated Apr 15, 2026
CVE-2025-10894
This CVE describes malicious code, not an ordinary vulnerability.
- npm /
@nx/devkit— Malicious code in @nx/devkit (npm) - npm /
@nx/enterprise-cloud— Malicious code in @nx/enterprise-cloud (npm) - npm /
@nx/eslint— Malicious code in @nx/eslint (npm) - npm /
@nx/js— Malicious code in @nx/js (npm) - npm /
@nx/key— Malicious code in @nx/key (npm) - + 22 more affected packages
If you have any of these packages installed, remove and rotate any credentials they could have accessed. See the malware feed for full details.
CVE-2025-10894
Description
Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
9- ghsa-coords8 versionspkg:npm/%40nx/devkitpkg:npm/%40nx/enterprise-cloudpkg:npm/%40nx/eslintpkg:npm/%40nx/jspkg:npm/%40nx/keypkg:npm/%40nx/nodepkg:npm/%40nx/workspacepkg:npm/nx
(expand)+ 7 more
- (no CPE)
- (no CPE)
- (no CPE)
- (no CPE)
- (no CPE)
- (no CPE)
- (no CPE)
- (no CPE)
Patches
Vulnerability mechanics
References
13- github.com/advisories/GHSA-cxm3-wv7p-598cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-10894ghsaADVISORY
- access.redhat.com/security/cve/CVE-2025-10894nvdWEB
- access.redhat.com/security/supply-chain-attacks-NPM-packagesnvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/nrwl/nx/commit/3905475cfd0e0ea670e20c6a9eaeb768169dc33dghsaWEB
- github.com/nrwl/nx/issues/32522ghsaWEB
- github.com/nrwl/nx/issues/32523ghsaWEB
- github.com/nrwl/nx/pull/32458ghsaWEB
- github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598cnvdWEB
- www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malwarenvdWEB
- www.wiz.io/blog/s1ngularity-supply-chain-attacknvdWEB
- x.com/adnanthekhan/status/1958722939534417989ghsaWEB
News mentions
0No linked articles in our index yet.