←back to thread

Nx compromised: malware uses Claude code CLI to explore the filesystem

(semgrep.dev)

493 points neuroo | 2 comments | 27 Aug 25 12:18 UTC | HN request time: 0.412s | source

https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7...

https://www.stepsecurity.io/blog/supply-chain-security-alert...

1. sippeangelo ◴[27 Aug 25 12:59 UTC] No.45039043[source]▶

>>45038653 (OP) #

This Semgrep post describes a very different prompt from what Nx reported themselves, which suggests the attacker was "live-editing" their payload over multiple releases and intended to go further.

Still, why does the payload only upload the paths to files without their actual contents?

Why would they not have the full attack ready before publishing it? Was it really just meant as a data gathering operation, a proof of concept, or are they just a bit stupid?

https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7...

replies(1): >>45040619 #

2. Roukanken ◴[27 Aug 25 14:58 UTC] No.45040619[source]▶

>>45039043 (TP) #

This feels more like someone wanted to just kick the hornet's nest, and specifically used AI to get both traction for the discussion to latch on and get the topic focused on it.

Especially: given the .bashrc editing to cause shutdown. This thing is obviously trying to be as loud as possible, without being overly destructive.