- Description
- Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts.
- Source
- secalert@redhat.com
- NVD status
- Deferred
CVSS 3.1
- Type
- Secondary
- Base score
- 9.6
- Impact score
- 6
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
- Severity
- CRITICAL
- secalert@redhat.com
- CWE-506
- Hype score
- Not currently trending
Malicious versions of `Nx` have been published, posing a supply chain risk (CVE-2025-10894). Verify dependencies and scan for integrity. #Nx #SupplyChain #InfoSec https://t.co/mb4IQA4prG
@pulsepatchio
17 Mar 2026
98 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-10894: CRITICAL supply-chain flaw in Nx build system (npm) enables credential theft via malicious code. Urgently audit & update affected versions! 🔒 https://t.co/ajvMSE9dB5 #OffSeq #SupplyChain #npm https://t.co/PIKGdBdHR7
@offseq
25 Sept 2025
57 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-10894 Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a sup… https://t.co/XnR31RbByd
@CVEnew
24 Sept 2025
207 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-10894: CRITICAL] Malicious code discovered in Nx build system packages & plugins on npm registry, posing a cyber security threat. Code collects credentials & posts them to GitHub.#cve,CVE-2025-10894,#cybersecurity https://t.co/kdaNw2G6UC https://t.co/Fiob3UWQ14
@CveFindCom
24 Sept 2025
64 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes