CVE-2025-10894 (GCVE-0-2025-10894)
Vulnerability from cvelistv5 – Published: 2025-09-24 21:20 – Updated: 2025-11-20 07:26
VLAI
Title
Nx: nx/devkit: malicious versions of nx and plugins published to npm
Summary
Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts.
Severity
9.6 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-506 - Embedded Malicious Code
Assigner
References
6 references
Impacted products
8 products
| Vendor | Product | Version | |
|---|---|---|---|
|
Affected:
20.12.0
Affected: 21.8.0 Affected: 21.7.0 Affected: 20.11.0 Affected: 21.6.0 Affected: 20.10.0 Affected: 20.9.0 Affected: 21.5.0 |
|||
|
Affected:
20.9.0
Affected: 21.5.0 |
|||
|
Affected:
3.2.0
|
|||
|
Affected:
21.5.0
|
|||
| Red Hat | Multicluster Global Hub |
cpe:/a:redhat:multicluster_globalhub |
|
| Red Hat | OpenShift Serverless |
cpe:/a:redhat:serverless:1 |
|
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2 |
cpe:/a:redhat:acm:2 |
|
| Red Hat | Red Hat Ansible Automation Platform 2 |
cpe:/a:redhat:ansible_automation_platform:2 |
Date Public
2025-09-23 16:51
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10894",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-25T13:51:05.714060Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-25T13:51:09.059Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c"
},
{
"tags": [
"exploit"
],
"url": "https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/nrwl/nx",
"defaultStatus": "unaffected",
"packageName": "nx",
"versions": [
{
"status": "affected",
"version": "20.12.0"
},
{
"status": "affected",
"version": "21.8.0"
},
{
"status": "affected",
"version": "21.7.0"
},
{
"status": "affected",
"version": "20.11.0"
},
{
"status": "affected",
"version": "21.6.0"
},
{
"status": "affected",
"version": "20.10.0"
},
{
"status": "affected",
"version": "20.9.0"
},
{
"status": "affected",
"version": "21.5.0"
}
]
},
{
"collectionURL": "https://github.com/nrwl/nx",
"defaultStatus": "unaffected",
"packageName": "nx/devkit",
"versions": [
{
"status": "affected",
"version": "20.9.0"
},
{
"status": "affected",
"version": "21.5.0"
}
]
},
{
"collectionURL": "https://nx.dev/powerpack",
"defaultStatus": "unaffected",
"packageName": "nx/enterprise-cloud",
"versions": [
{
"status": "affected",
"version": "3.2.0"
}
]
},
{
"collectionURL": "https://github.com/nrwl/nx",
"defaultStatus": "unaffected",
"packageName": "nx/eslint",
"versions": [
{
"status": "affected",
"version": "21.5.0"
}
]
},
{
"collectionURL": "https://github.com/nrwl/nx",
"defaultStatus": "unaffected",
"packageName": "nx/js",
"versions": [
{
"status": "affected",
"version": "20.9.0"
},
{
"status": "affected",
"version": "21.5.0"
}
]
},
{
"collectionURL": "https://github.com/nrwl/nx",
"defaultStatus": "unaffected",
"packageName": "nx/key",
"versions": [
{
"status": "affected",
"version": "3.2.0"
}
]
},
{
"collectionURL": "https://github.com/nrwl/nx",
"defaultStatus": "unaffected",
"packageName": "nx/node",
"versions": [
{
"status": "affected",
"version": "20.9.0"
},
{
"status": "affected",
"version": "21.5.0"
}
]
},
{
"collectionURL": "https://github.com/nrwl/nx",
"defaultStatus": "unaffected",
"packageName": "nx/workspace",
"versions": [
{
"status": "affected",
"version": "20.9.0"
},
{
"status": "affected",
"version": "21.5.0"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:multicluster_globalhub"
],
"defaultStatus": "unaffected",
"packageName": "multicluster-globalhub/multicluster-globalhub-grafana-rhel9",
"product": "Multicluster Global Hub",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:serverless:1"
],
"defaultStatus": "unaffected",
"packageName": "openshift-serverless-1/kn-backstage-plugins-eventmesh-rhel8",
"product": "OpenShift Serverless",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:acm:2"
],
"defaultStatus": "unaffected",
"packageName": "rhacm2/acm-grafana-rhel9",
"product": "Red Hat Advanced Cluster Management for Kubernetes 2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "unaffected",
"packageName": "automation-gateway",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
}
],
"datePublic": "2025-09-23T16:51:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user\u0027s accounts."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T07:26:10.947Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2025-10894"
},
{
"url": "https://access.redhat.com/security/supply-chain-attacks-NPM-packages"
},
{
"name": "RHBZ#2396282",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396282"
},
{
"url": "https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c"
},
{
"url": "https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware"
},
{
"url": "https://www.wiz.io/blog/s1ngularity-supply-chain-attack"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-17T21:01:13.505Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2025-09-23T16:51:00.000Z",
"value": "Made public."
}
],
"title": "Nx: nx/devkit: malicious versions of nx and plugins published to npm",
"x_redhatCweChain": "CWE-506: Embedded Malicious Code"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2025-10894",
"datePublished": "2025-09-24T21:20:31.242Z",
"dateReserved": "2025-09-23T16:30:03.636Z",
"dateUpdated": "2025-11-20T07:26:10.947Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-10894",
"date": "2026-07-01",
"epss": "0.00527",
"percentile": "0.40682"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-10894\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2025-09-24T22:15:35.423\",\"lastModified\":\"2026-06-17T08:29:13.757\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user\u0027s accounts.\"},{\"lang\":\"es\",\"value\":\"Se insert\u00f3 c\u00f3digo malicioso en el paquete Nx (sistema de compilaci\u00f3n) y varios plugins relacionados. El paquete manipulado se public\u00f3 en el registro de software npm, a trav\u00e9s de un ataque a la cadena de suministro. Las versiones afectadas contienen c\u00f3digo que escanea el sistema de archivos, recopila credenciales y las publica en GitHub como un repositorio bajo las cuentas de los usuarios.\"}],\"affected\":[{\"source\":\"secalert@redhat.com\",\"affectedData\":[{\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://github.com/nrwl/nx\",\"packageName\":\"nx\",\"versions\":[{\"version\":\"20.12.0\",\"status\":\"affected\"},{\"version\":\"21.8.0\",\"status\":\"affected\"},{\"version\":\"21.7.0\",\"status\":\"affected\"},{\"version\":\"20.11.0\",\"status\":\"affected\"},{\"version\":\"21.6.0\",\"status\":\"affected\"},{\"version\":\"20.10.0\",\"status\":\"affected\"},{\"version\":\"20.9.0\",\"status\":\"affected\"},{\"version\":\"21.5.0\",\"status\":\"affected\"}]},{\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://github.com/nrwl/nx\",\"packageName\":\"nx/devkit\",\"versions\":[{\"version\":\"20.9.0\",\"status\":\"affected\"},{\"version\":\"21.5.0\",\"status\":\"affected\"}]},{\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://nx.dev/powerpack\",\"packageName\":\"nx/enterprise-cloud\",\"versions\":[{\"version\":\"3.2.0\",\"status\":\"affected\"}]},{\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://github.com/nrwl/nx\",\"packageName\":\"nx/eslint\",\"versions\":[{\"version\":\"21.5.0\",\"status\":\"affected\"}]},{\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://github.com/nrwl/nx\",\"packageName\":\"nx/js\",\"versions\":[{\"version\":\"20.9.0\",\"status\":\"affected\"},{\"version\":\"21.5.0\",\"status\":\"affected\"}]},{\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://github.com/nrwl/nx\",\"packageName\":\"nx/key\",\"versions\":[{\"version\":\"3.2.0\",\"status\":\"affected\"}]},{\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://github.com/nrwl/nx\",\"packageName\":\"nx/node\",\"versions\":[{\"version\":\"20.9.0\",\"status\":\"affected\"},{\"version\":\"21.5.0\",\"status\":\"affected\"}]},{\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://github.com/nrwl/nx\",\"packageName\":\"nx/workspace\",\"versions\":[{\"version\":\"20.9.0\",\"status\":\"affected\"},{\"version\":\"21.5.0\",\"status\":\"affected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Multicluster Global Hub\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"multicluster-globalhub/multicluster-globalhub-grafana-rhel9\",\"cpes\":[\"cpe:/a:redhat:multicluster_globalhub\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Serverless\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"openshift-serverless-1/kn-backstage-plugins-eventmesh-rhel8\",\"cpes\":[\"cpe:/a:redhat:serverless:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Advanced Cluster Management for Kubernetes 2\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"rhacm2/acm-grafana-rhel9\",\"cpes\":[\"cpe:/a:redhat:acm:2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Ansible Automation Platform 2\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"automation-gateway\",\"cpes\":[\"cpe:/a:redhat:ansible_automation_platform:2\"]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":9.6,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":6.0}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2025-09-25T13:51:05.714060Z\",\"id\":\"CVE-2025-10894\",\"options\":[{\"exploitation\":\"poc\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-506\"}]}],\"references\":[{\"url\":\"https://access.redhat.com/security/cve/CVE-2025-10894\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/security/supply-chain-attacks-NPM-packages\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2396282\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://www.wiz.io/blog/s1ngularity-supply-chain-attack\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"},{\"url\":\"https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-10894\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-09-25T13:51:05.714060Z\"}}}], \"references\": [{\"url\": \"https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c\", \"tags\": [\"exploit\"]}, {\"url\": \"https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-09-25T13:50:58.955Z\"}}], \"cna\": {\"title\": \"Nx: nx/devkit: malicious versions of nx and plugins published to npm\", \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Important\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"versions\": [{\"status\": \"affected\", \"version\": \"20.12.0\"}, {\"status\": \"affected\", \"version\": \"21.8.0\"}, {\"status\": \"affected\", \"version\": \"21.7.0\"}, {\"status\": \"affected\", \"version\": \"20.11.0\"}, {\"status\": \"affected\", \"version\": \"21.6.0\"}, {\"status\": \"affected\", \"version\": \"20.10.0\"}, {\"status\": \"affected\", \"version\": \"20.9.0\"}, {\"status\": \"affected\", \"version\": \"21.5.0\"}], \"packageName\": \"nx\", \"collectionURL\": \"https://github.com/nrwl/nx\", \"defaultStatus\": \"unaffected\"}, {\"versions\": [{\"status\": \"affected\", \"version\": \"20.9.0\"}, {\"status\": \"affected\", \"version\": \"21.5.0\"}], \"packageName\": \"nx/devkit\", \"collectionURL\": \"https://github.com/nrwl/nx\", \"defaultStatus\": \"unaffected\"}, {\"versions\": [{\"status\": \"affected\", \"version\": \"3.2.0\"}], \"packageName\": \"nx/enterprise-cloud\", \"collectionURL\": \"https://nx.dev/powerpack\", \"defaultStatus\": \"unaffected\"}, {\"versions\": [{\"status\": \"affected\", \"version\": \"21.5.0\"}], \"packageName\": \"nx/eslint\", \"collectionURL\": \"https://github.com/nrwl/nx\", \"defaultStatus\": \"unaffected\"}, {\"versions\": [{\"status\": \"affected\", \"version\": \"20.9.0\"}, {\"status\": \"affected\", \"version\": \"21.5.0\"}], \"packageName\": \"nx/js\", \"collectionURL\": \"https://github.com/nrwl/nx\", \"defaultStatus\": \"unaffected\"}, {\"versions\": [{\"status\": \"affected\", \"version\": \"3.2.0\"}], \"packageName\": \"nx/key\", \"collectionURL\": \"https://github.com/nrwl/nx\", \"defaultStatus\": \"unaffected\"}, {\"versions\": [{\"status\": \"affected\", \"version\": \"20.9.0\"}, {\"status\": \"affected\", \"version\": \"21.5.0\"}], \"packageName\": \"nx/node\", \"collectionURL\": \"https://github.com/nrwl/nx\", \"defaultStatus\": \"unaffected\"}, {\"versions\": [{\"status\": \"affected\", \"version\": \"20.9.0\"}, {\"status\": \"affected\", \"version\": \"21.5.0\"}], \"packageName\": \"nx/workspace\", \"collectionURL\": \"https://github.com/nrwl/nx\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:multicluster_globalhub\"], \"vendor\": \"Red Hat\", \"product\": \"Multicluster Global Hub\", \"packageName\": \"multicluster-globalhub/multicluster-globalhub-grafana-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:serverless:1\"], \"vendor\": \"Red Hat\", \"product\": \"OpenShift Serverless\", \"packageName\": \"openshift-serverless-1/kn-backstage-plugins-eventmesh-rhel8\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:acm:2\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Advanced Cluster Management for Kubernetes 2\", \"packageName\": \"rhacm2/acm-grafana-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:ansible_automation_platform:2\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ansible Automation Platform 2\", \"packageName\": \"automation-gateway\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-09-17T21:01:13.505000+00:00\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2025-09-23T16:51:00+00:00\", \"value\": \"Made public.\"}], \"datePublic\": \"2025-09-23T16:51:00.000Z\", \"references\": [{\"url\": \"https://access.redhat.com/security/cve/CVE-2025-10894\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/security/supply-chain-attacks-NPM-packages\"}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2396282\", \"name\": \"RHBZ#2396282\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c\"}, {\"url\": \"https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware\"}, {\"url\": \"https://www.wiz.io/blog/s1ngularity-supply-chain-attack\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user\u0027s accounts.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-506\", \"description\": \"Embedded Malicious Code\"}]}], \"providerMetadata\": {\"orgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"shortName\": \"redhat\", \"dateUpdated\": \"2025-11-20T07:26:10.947Z\"}, \"x_redhatCweChain\": \"CWE-506: Embedded Malicious Code\"}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-10894\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-20T07:26:10.947Z\", \"dateReserved\": \"2025-09-23T16:30:03.636Z\", \"assignerOrgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"datePublished\": \"2025-09-24T21:20:31.242Z\", \"assignerShortName\": \"redhat\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…