Supply Chain Security: The S1ngularity/nx Attack & How to Protect Your Studio
by Edo, Senior Developer & Security Lead
The S1ngularity/nx Attack: What Happened
In mid-September 2025, the npm ecosystem was hit by a new large-scale supply chain attack from a threat actor known as S1ngularity, building on tactics seen in the earlier Nx attack (August 27, 2025). What initially involved ~40 compromised packages escalated, and to date ~147 additional packages have been found infected, including ones tied to major vendors like CrowdStrike.
This attack marks a clear evolution: the malware now behaves like a worm, automatically propagating through compromised maintainers.
How the Worm Works
- Harvesting secrets: scans environment variables (
process.env), uses TruffleHog, queries cloud metadata endpoints (AWS / GCP). - Exfiltration (method 1): creates a GitHub repository called Shai-Hulud under compromised accounts, commits JSON dumps of system info, secrets, etc.
- Exfiltration (method 2): drops a GitHub Actions workflow (
.github/workflows/shai-hulud-workflow.yml) that serializes all secrets (toJSON(secrets)), sends them to awebhook[.]site, and writes a double-base64 copy in the Actions logs. - Propagation: uses any valid npm tokens found to re-publish the malicious payload in other npm packages the maintainer controls.
- Amplification: turns private repositories public, iterates across all repos the user has access to, adds workflows/branches to trigger further leaks.
- Technical infection mechanism:
- Downloads the target package’s tarball.
- Modifies
package.jsonto bump the patch version and insert apostinstalllifecycle hook. - Embeds its payload as
bundle.jsinside the tarball. - Publishes the altered package using the maintainer’s credentials.
Packages Affected
Here’s the complete list of npm packages + versions confirmed compromised in the S1ngularity/nx campaign. If your project depends on any of these (at those versions), treat them as high-risk.
| Package Name | Compromised Version(s) |
|---|---|
@ahmedhfarag/ngx-perfect-scrollbar | 20.0.20 |
@ahmedhfarag/ngx-virtual-scroller | 4.0.4 |
@art-ws/common | 2.0.28 |
@art-ws/config-eslint | 2.0.4, 2.0.5 |
@art-ws/config-ts | 2.0.7, 2.0.8 |
@art-ws/db-context | 2.0.24 |
@art-ws/di | 2.0.28, 2.0.32 |
@art-ws/di-node | 2.0.13 |
@art-ws/eslint | 1.0.5, 1.0.6 |
@art-ws/fastify-http-server | 2.0.24, 2.0.27 |
@art-ws/http-server | 2.0.21, 2.0.25 |
@art-ws/openapi | 0.1.9, 0.1.12 |
@art-ws/package-base | 1.0.5, 1.0.6 |
@art-ws/prettier | 1.0.5, 1.0.6 |
@art-ws/slf | 2.0.15, 2.0.22 |
@art-ws/ssl-info | 1.0.9, 1.0.10 |
@art-ws/web-app | 1.0.3, 1.0.4 |
@crowdstrike/commitlint | 8.1.1, 8.1.2 |
@crowdstrike/falcon-shoelace | 0.4.1, 0.4.2 |
@crowdstrike/foundry-js | 0.19.1, 0.19.2 |
@crowdstrike/glide-core | 0.34.2, 0.34.3 |
@crowdstrike/logscale-dashboard | 1.205.1, 1.205.2 |
@crowdstrike/logscale-file-editor | 1.205.1, 1.205.2 |
@crowdstrike/logscale-parser-edit | 1.205.1, 1.205.2 |
@crowdstrike/logscale-search | 1.205.1, 1.205.2 |
@crowdstrike/tailwind-toucan-base | 5.0.1, 5.0.2 |
⚠️ Note: This list is what has been confirmed so far. There may be more compromised packages not yet detected. Always cross-check your dependencies proactively.
Immediate Steps for Development Teams
If your projects use npm packages, here’s what to do right now:
- Clean your npm cache.
- Reinstall all dependencies from scratch.
- Ensure lock files (
package-lock.json,yarn.lock,pnpm-lock.yaml) are committed to version control and used. - Pin exact dependency versions (avoid loose semver ranges) especially for any dependency from maintainers you don’t fully control.
- Audit and revoke unnecessary npm tokens.
Building Long-Term Resilience
To protect against attacks like this going forward, studios should:
- Maintain a dependency inventory and schedule regular audits.
- Use automated scanning tools that can flag suspicious lifecycle hooks (e.g.
postinstall), version bumps, and unexpected workflows. - Monitor GitHub and other repo services for added workflows, new branches, or repositories made public unexpectedly.
- Limit scope of credentials/tokens, rotate them, and monitor usage.
- Use secure environments (e.g. containerized dev), enforce security gates in CI/CD, and possibly use tools that validate packages before they’re installed (e.g. verifying signatures or using threat-intel-backed wrappers).
Conclusion
The S1ngularity/nx incident demonstrates that supply chain threats have evolved: malicious actors are now building worms that spread automatically through abuse of package maintainers’ privileges.
For your studio, dependency security must be treated as core infrastructure, not an afterthought. Audit, lock, monitor, secure credentials — these are essential.