(github.com)

441 points longcat | 3 comments | 27 Aug 25 01:38 UTC | HN request time: 0.532s | source

1. BobbyTables2 ◴[27 Aug 25 13:57 UTC] No.45039788[source]▶

ELI5, how was the malicious PR approved and merged?

Are they using AI for automated code review too?

2. danr4 ◴[27 Aug 25 14:03 UTC] No.45039871[source]▶

seems like the npm repo got hacked and the compromised version was just uploaded

3. david_allison ◴[27 Aug 25 23:28 UTC] No.45046546[source]▶

The workflows were set up to execute with a read/write `GITHUB_TOKEN` for `nx` when a PR was created/edited (no approval necessary).

See the security warnings on `pull_request_target`

Malicious versions of Nx and some supporting plugins were published