The "s1ngularity" attack represents a sophisticated cyber-security breach that compromised over 2,000 GitHub accounts and 7,200 repositories, highlighting an emerging threat where AI-powered malware exploits vulnerabilities in open-source software supply chains. This incident, impacting the widely used Nx build system, demonstrates a new level of automation in credential theft and underscores the critical need for enhanced security measures in the AI development landscape.

What Was the "s1ngularity" Attack?

The "s1ngularity" attack was a sophisticated supply chain cyberattack that exploited a vulnerability in the GitHub Actions workflows of Nx, a popular open-source build system, to deploy AI-powered malware. The attack, identified in late August 2025, ultimately compromised thousands of GitHub accounts and repositories, leading to the public exposure of sensitive credentials and code.[1][2][3]

How the Attack Unfolded and Spread

The attackers initiated the "s1ngularity" incident by exploiting a critical vulnerability in Nx's GitHub Actions workflows. This flaw allowed for a pull request title injection, combined with an insecure pull_request_target configuration, enabling the execution of arbitrary code with elevated permissions within Nx's continuous integration (CI) pipeline.[1][2][4] This unauthorized access facilitated the theft of an npm publishing token, which was then used to release malicious versions of Nx packages on the npm registry.[1][2][4]

Once installed, these backdoored Nx packages deployed telemetry.js, a credential-stealing malware primarily targeting Linux and macOS systems.[1][2][4] This malware was designed to harvest GitHub and npm tokens, SSH keys, .env files, and cryptocurrency wallet data.[1][2][4] The stolen information was subsequently uploaded to public GitHub repositories created by the attackers, typically named s1ngularity-repository, allowing for easy collection.[1][2][4]

AI-Powered Credential Theft: A New Threat Vector

A distinguishing feature of the "s1ngularity" attack was its use of artificial intelligence to enhance credential discovery. The telemetry.js malware incorporated command-line tools for prominent large language models (LLMs) such as Claude, Q, and Gemini.[1][3] Attackers used specially crafted LLM prompts to direct these AI agents to recursively search local paths for sensitive files and secrets.[1][3]

Wiz researchers observed that the attackers continuously refined their AI prompts throughout the campaign, demonstrating an iterative process of "prompt tuning" to improve the malware's success rate.[1][3] For example, introducing phrases like "penetration testing" in the prompts sometimes reduced refusals from the AI systems, allowing for more aggressive searches, although LLM safety guardrails still led to task rejections in a significant portion of cases.[1][3] This method represents a notable advancement in malware capabilities, where AI is leveraged to intelligently locate and exfiltrate credentials, potentially bypassing traditional detection mechanisms due to its adaptive nature.[3]

What is a Supply Chain Attack?

A supply chain attack targets less secure elements in a software development process, such as third-party components or updates, to compromise a larger, more secure system or its users.[1]

The Extensive Fallout: Accounts and Repositories Compromised

The "s1ngularity" attack had a massive blast radius, unfolding in three distinct phases:

• Phase 1 (August 26-27, 2025): The initial distribution of malicious Nx packages directly impacted approximately 1,700 users, leading to the public leakage of over 2,000 unique secrets and more than 20,000 files from infected systems.[1][3] GitHub responded by taking down the attacker-controlled repositories within eight hours, but the data had already been copied.[1][3]

• Phase 2 (August 28-29, 2025): Attackers leveraged the stolen GitHub tokens from Phase 1 to gain access to an additional 480 accounts, predominantly organizations.[1][3] They then flipped approximately 6,700 private repositories to public status, renaming them to include the 's1ngularity' string.[1][3] This exposed further sensitive information, including thousands of valid credentials within these previously private codebases.[3]

• Phase 3 (August 31, 2025, onward): In the final phase, attackers focused on a single victim organization, using two compromised accounts to publish over 500 private repositories with the description "S1ngularity."[1][3]

  
  

Inside the s1ngularity fallout: how the Nx supply-chain attack unfolded, the role of AI tooling, and what GitHub logs reveal/ Image Credit: Wiz

Wiz researchers noted that nearly 90% of the leaked GitHub tokens remained valid over 24 hours after GitHub's initial response, with roughly 5% still active even after a mass revocation campaign.[3] This extended validity period allowed for the subsequent phases of the attack.[3] The malware also modified .zshrc and .bashrc files to include a sudo shutdown -h 0 command, prompting users for their system password and immediately shutting down the machine if provided.[4]

Nx Team's Response and Remediation

Following the detection of the attack, the Nx team conducted a detailed root cause analysis and implemented several critical security measures. They confirmed that the vulnerability stemmed from bash injection combined with the insecure use of pull_request_target in GitHub Actions, which granted arbitrary code execution with elevated permissions and exposed their npm publishing token.[1][2][4] The vulnerability was introduced on August 21, 2025, and initially, an inadequate resolution was applied on August 22, 2025.[4]

Immediate actions included revoking and rotating all compromised tokens, enforcing two-factor authentication (2FA) for all publisher accounts, and migrating to NPM’s Trusted Publisher model to eliminate token-based publishing.[1][2][4] Additionally, manual approval workflows were introduced for pull request-triggered CI/CD pipelines to prevent similar future compromises.[1][2][4] Nx also advised users to check for s1ngularity-repository in their GitHub audit logs and /tmp/inventory.txt on their local machines, and to rotate all credentials.[1][2][4]

Why This Matters

For readers, the "s1ngularity" attack underscores the evolving and increasingly sophisticated nature of cyber threats in the age of AI. It highlights that even widely used open-source tools can become vectors for highly automated attacks that compromise sensitive credentials. For organizations, this incident is a critical reminder to reassess software supply chain security, implement rigorous CI/CD practices, enforce multi-factor authentication, and proactively manage and rotate credentials, especially for accounts with elevated permissions, to mitigate the risks posed by AI-enhanced malware.