{"id":67581,"date":"2025-09-06T19:54:30","date_gmt":"2025-09-06T22:54:30","guid":{"rendered":"https:\/\/mastertrend.info\/?p=67581"},"modified":"2026-01-21T01:05:13","modified_gmt":"2026-01-21T04:05:13","slug":"singularity-filtration","status":"publish","type":"post","link":"https:\/\/mastertrend.info\/en\/filtracion-s1ngularity\/","title":{"rendered":"S1ngularity filtering: 2,180 accounts and 7,200 repos."},"content":{"rendered":"

S1ngularity leak: GitHub and NPM affected \ud83d\udea8<\/h2>\n
\n

\"GitHub<\/p>\n

Recent investigations into the supply chain attack dubbed "s1ngularity" against Nx reveal a massive credential leak: thousands of account tokens and repository secrets were exposed, with repercussions across multiple phases of the incident. A post-incident report from Wiz documents the scope and provides insight into how the exfiltration evolved and its impact. \ud83d\udea8\ud83d\udcca<\/p>\n

According to the assessment published by Wiz researchers, the breach resulted in the exposure of 2,180 accounts and 7,200 repositories in three distinct phases, with many secrets still valid and risk of continued damage<\/a>The white paper provides details on the timeline, the attacker's techniques, and the nature of the leaked secrets. \ud83d\udd0d\ud83d\udcc8<\/p>\n

The Nx Supply Chain Attack \u26a0\ufe0f\ud83d\ude80<\/h2>\n

Nx is an open-source, single-repository build and management system widely used in enterprise-scale JavaScript\/TypeScript ecosystems. With millions of weekly downloads on the NPM registry, a compromised package has a far-reaching impact on numerous integrations and development pipelines. \u2699\ufe0f<\/p>\n

Compromise vector and incident date \ud83d\udcc5<\/h3>\n

On August 26, 2025, a malicious actor exploited a vulnerable GitHub Actions workflow in the Nx repository to publish a malicious version of the package to NPM. The package included a malicious post-install script called "telemetry.js" that acted as malware<\/a> Credential extractor on affected systems. \ud83d\udd25<\/p>\n

How telemetry.js malware works \ud83d\udd75\ufe0f\u200d\u2642\ufe0f<\/h3>\n

The malware telemetry.js acted as a credential stealer on Linux and macOS, attempting to steal GitHub tokens, npm tokens, SSH keys, .env files, cryptocurrency wallets, and other secrets, and then upload them to public GitHub repositories named \u00abs1ngularity-repository. This pattern allowed the attacker to centralize and expose the stolen information. \ud83d\udd10<\/p>\n

\n
\"Prompt
Prompt LLM to find and exfiltrate credentials and other secrets<\/strong>
\nSource: Wiz<\/em><\/figcaption><\/figure>\n<\/div>\n

The attacker also integrated command-line tools for AI platforms (e.g., Claude, Q, and Gemini) to automate search and harvesting using targeted prompts. Wiz documents how the prompt evolved during the attack, optimizing extraction and circumventing model rejections for certain instructions, reflecting the actor's active attunement to LLM techniques. \u2728\ud83d\udca1<\/p>\n

Impact range: damage radius and phases \ud83d\udcc8\ud83d\udd25<\/h2>\n

The incident unfolded in three phases. In the first, between August 26 and 27, compromised versions of Nx directly affected 1,700 users and leaked more than 2,000 unique secrets, in addition to exposing around 20,000 files from infected systems. GitHub intervened, but much of the data had already been duplicated.<\/p>\n