NX and React Package Breaches Reveal Growing Risks in Enterprise Dev Pipelines
A major npm supply chain attack has targeted the widely used Nx build system, exposing thousands of enterprise developer credentials and highlighting the increasing sophistication of attacks on open-source ecosystems. According to security firm Wiz, attackers leveraged artificial intelligence tools to automate and amplify data theft across enterprise development environments, making the breach especially concerning for organizations relying on Nx for build automation.
The attack began on August 26, 2025, when malicious versions of Nx packages were published to the npm registry. These compromised packages included post-installation scripts engineered to harvest sensitive assets from infected systems, including cryptocurrency wallets, GitHub and npm tokens, SSH keys, and environment variables. By embedding these scripts in otherwise legitimate packages, the threat actors could reach thousands of developers with minimal detection.
Researchers at Wiz noted that the malware leveraged installed AI CLI tools by prompting them with dangerous flags to access filesystem contents, effectively turning trusted developer tools into vectors for reconnaissance and exfiltration. While AI provider safeguards sometimes interrupted these operations, the attack succeeded in hundreds of cases, demonstrating the potential of combining AI automation with supply chain compromise.
The Nx compromise coincided with another npm supply chain discovery: JFrog revealed eight malicious packages, including react-sxt, react-typex, and react-native-control, containing multi-layer obfuscated code with over 70 layers of concealment. According to JFrog researcher Guy Korolevski, attackers are increasingly using techniques like typosquatting and masquerading to impersonate legitimate packages, turning open-source repositories into high-value targets for enterprise-focused attacks. Organizations are urged to audit their npm dependencies and enhance monitoring to mitigate further risks.