On August 26, 2025, eight malicious versions of the Nx build system appeared on npm, published through a stolen token. Within hours, the postinstall script inside those packages was invoking locally installed AI coding agents with their permission-skip flags to walk developer filesystems for SSH keys, .env files, and wallet data. The attack, later named s1ngularity, is one of the first documented cases where supply-chain malware weaponized AI CLIs already present on the victim’s machine rather than exfiltrating data directly.
The attack chain: from a PR title to a stolen publish token
The entry point was a GitHub Actions injection. The Nx repository ran a PR title validation workflow using pull_request_target, which checks out the base repository and has access to its secrets. The workflow echoed the PR title without sanitization. Combined with permissive workflow token permissions, this allowed an attacker to craft a pull request whose title contained injected commands that extracted the NPM_TOKEN secret, according to Nx’s postmortem.
This is not a novel GitHub Actions pattern. pull_request_target with unsanitized input has been documented as a secrets-exposure vector for years. What made s1ngularity notable was what happened next.
The attacker used the token to publish eight malicious package versions: nx 20.9.0 through 20.12.0 and 21.5.0 through 21.8.0, plus scoped @nx/* packages. The packages remained live for roughly five hours and twenty minutes before takedown, as reported by Snyk’s incident analysis.
How telemetry.js weaponized AI coding agents
The postinstall payload, telemetry.js, did not exfiltrate secrets through its own HTTP requests. Instead, it detected whether the victim machine had any of three AI CLI tools installed and invoked them with flags designed to bypass user confirmation:
- Claude Code:
--dangerously-skip-permissions - Gemini CLI:
--yolo - Amazon Q Developer:
--trust-all-tools
Each invocation included a crafted prompt instructing the agent to recursively enumerate SSH keys, cryptocurrency wallet files, .env files, and other sensitive paths, writing results to /tmp/inventory.txt. This technique was detailed by both Socket’s analysis and StepSecurity’s breakdown.
The design is specific: the AI agent, not the postinstall script, performs the filesystem traversal. The agent process is typically already trusted by the OS, the user, and often any endpoint detection tooling. The exfiltration step runs inside a process that looks like normal developer activity.
Public ClickHouse data analyzed by Socket shows more than 1,000 victim GitHub accounts with s1ngularity-repository repos containing exfiltrated credentials.
Why npm-side scanning misses the real exfiltration
Standard supply-chain defenses focus on the package. npm audit, Socket, Snyk, and similar tools scan postinstall scripts for suspicious patterns: outbound network calls, filesystem access outside node_modules, encoded payloads. The telemetry.js script in s1ngularity likely triggered these detectors on its own. But the actual credential harvesting ran inside a Claude Code or Gemini CLI process, launched with a flag the vendor themselves provide for automation.
This creates a detection gap. The postinstall script’s behavior (launching a subprocess with specific arguments) is not inherently suspicious. The subprocess is a well-known developer tool. The prompt it receives is the only malicious component, and prompts are not standard scan targets. Endpoint protection tools see claude or gemini running and doing file reads, which is exactly what those tools are expected to do.
Vercel’s changelog confirms the gap from the platform side: their build containers were safe by default because gh CLI, GitHub tokens, and AI coding agent CLIs are not pre-installed. Zero Vercel builds met all four conditions required for exfiltration. The defense was environmental, not analytical.
The second wave: long-lived OAuth tokens
The initial package takedown on August 27 did not end the incident. On August 28, a second wave exploited still-valid leaked GitHub CLI OAuth tokens to rename private org repositories to s1ngularity-repository-{random} and make them public, as documented by StepSecurity. The attacker also forked organization repos into compromised user accounts.
This second wave is operationally significant. The malicious packages were gone, but the credentials they harvested remained valid. Token rotation was not immediate across all victims, and the GitHub CLI’s OAuth tokens had a long enough TTL to enable follow-on actions a full day later. The blast radius of a supply-chain compromise extends well past the window in which the malicious package is available for download.
What Nx changed
Nx’s response was substantive. According to their postmortem, they moved from static NPM_TOKEN secrets to Trusted Publisher with OIDC authentication, which ties publish capability to the CI environment’s identity rather than a stealable string. They implemented a manual approval process for all releases, disabled pipeline runs from all external contributors, and adopted additional enhanced security measures.
These are the right fixes for the specific failure. OIDC-based publishing eliminates the class of secret-extraction attacks that pull_request_target enables. Disabling external contributor pipeline runs removes the injection surface entirely.
Hardening checklist for developer machines
The s1ngularity attack exposes a threat surface that did not exist two years ago: the AI coding agent as a recon primitive. Defenders should treat local AI agent tool-use as a privileged execution surface.
Concrete steps:
- Disable postinstall scripts by default.
npm config set ignore-scripts trueprevents anypostinstallfrom running without explicit opt-in. Re-enable per-package where needed. - Enforce npm provenance. Provenance-signed packages let you verify that a package was published from a specific CI environment, not a stolen token.
- Restrict AI CLI filesystem scope. Claude Code and Gemini CLI both support project-directory scoping. Use it. An AI agent that can read
~/.sshand~/.envis an AI agent that can be weaponized. - Rotate GitHub CLI OAuth tokens. The second wave proved that long-lived tokens extend the blast radius of a credential harvest. Short TTLs and regular rotation reduce the window.
- Monitor for permission-skip flags in process arguments. If
--dangerously-skip-permissionsor--yoloappears in a process invocation that was not initiated by the developer directly, flag it.
The broader implication
Every AI coding agent installed on a developer laptop is now part of the supply-chain threat surface. The agents are designed to read files, execute commands, and operate with broad filesystem access. They have built-in flags to skip permission prompts, because automation workflows need them. An attacker who can execute arbitrary code on a developer machine, whether through a malicious npm postinstall, a compromised VS Code extension, or any other vector, can now delegate reconnaissance to a tool the developer installed and trusts.
This is not hypothetical. The s1ngularity attack demonstrated the full chain in August 2025, compromising over 1,000 developer accounts. The attack does not require a zero-day in the AI tool itself. It requires only that the tool be installed and that a flag exists to bypass its permission model. Both conditions are met on a growing number of developer machines.
The defensive posture needs to catch up. Package registries can scan postinstall scripts, but they cannot control what happens inside an AI agent process on a developer’s laptop. That boundary, between the package and the developer environment, is where the next generation of supply-chain attacks will operate.
Frequently Asked Questions
Of systems that downloaded the malicious packages, how many actually ran the AI agent payload?
ClickHouse data shows that of the compromised systems, 33% (366) had at least one LLM client installed, but only 95 of those actually executed the malicious AI prompt. The gap suggests many developers had AI CLIs present but not configured with the authentication or filesystem access the crafted prompt needed to complete its enumeration.
Was the August 26 package publication the attacker’s first move against the Nx repo?
No. Snyk’s September 1 update reported that a malicious commit on August 24, two days before the packages appeared on npm, redirected the Nx publish token to an attacker-controlled webhook. The attacker held write access to the repository for at least 48 hours before the postinstall payload reached any developer machine, using that window to validate the token extraction path and prepare the telemetry.js payload.
What four conditions had to align for the exfiltration to succeed?
Vercel’s platform analysis required all of the following: a build installing a malicious Nx version, an AI CLI tool present in the container, a permission-skip flag available to that CLI, and valid credentials within the agent’s reachable filesystem scope. Zero Vercel builds met all four, which is why the defense was environmental (nothing sensitive pre-installed) rather than analytical (no scanner caught the prompt).
Do AI agents without permission-skip flags resist this attack class?
Partially. An agent that prompts before every tool use would ask the developer before reading ~/.ssh, which raises a chance of detection. But the crafted prompt could be engineered to look like a legitimate task, and some agents cache permission grants per session. Filesystem scoping is the stronger control: restricting the agent’s working directory so credential paths are unreachable regardless of permission mode.