On August 27, 2025, the cybersecurity world confronted a new breed of supply chain attack that blurred the line between software exploitation and artificial intelligence manipulation. The s1ngularity incident, targeting the widely used Nx build system on npm, marked what security researchers believe to be one of the first documented cases of malware leveraging AI assistant CLIs for automated reconnaissance and data exfiltration. The attack exposed over a thousand GitHub tokens, dozens of cloud credentials, and thousands of sensitive files—transforming helpful AI coding tools into unwitting accomplices in one of the most sophisticated supply chain compromises in recent memory.
The Agentic Protocol
The attack’s root cause was traced to a flawed GitHub Actions CI workflow that had been contributed via a pull request on August 21, 2025. Investigators believe the code contribution was generated using Claude Code, an AI coding assistant. A follow-up malicious commit on August 24 modified the CI workflow to exfiltrate the npm publishing token to an attacker-controlled server via webhook, using the pull_request_target trigger that granted elevated permissions through a GITHUB_TOKEN with read/write repository access.
Between August 26 and 27, eight malicious versions of Nx and Nx Powerpack were pushed to npm across two version lines, remaining live for approximately five hours and twenty minutes before removal. The compromised versions included Nx packages 20.9.0, 20.10.0, 20.11.0, 20.12.0, 21.5.0, 21.6.0, 21.7.0, and 21.8.0, along with several auxiliary packages including @nx/devkit, @nx/enterprise-cloud, @nx/eslint, @nx/js, @nx/key, @nx/node, and @nx/workspace.
What set s1ngularity apart from conventional supply chain attacks was its post-installation payload. The malicious telemetry.js script attempted to weaponize locally installed AI coding agents—Claude Code, Google’s Gemini CLI, and Amazon’s q command-line tool—by invoking them with dangerous flags designed to bypass their built-in safety guardrails.
Neural Network Integration
The malware’s integration with AI coding agents was both elegant and alarming. The post-install script executed AI assistants with flags such as –dangerously-skip-permissions for Claude Code, –yolo for Gemini CLI, and –trust-all-tools for Amazon q. These flags are intended for automation workflows but effectively strip away the interactive consent mechanisms that normally protect users from unintended file access.
Once unleashed, the embedded prompt instructed each AI agent to recursively enumerate high-value targets across the filesystem—cryptocurrency wallet artifacts, SSH keys, .env files, and other sensitive data—while respecting depth limits and writing results to /tmp/inventory.txt and a backup file. The AI agents essentially performed the reconnaissance work that traditional malware would need to hardcode, adapting dynamically to different filesystem structures and configurations.
The data was double and triple-base64 encoded before being uploaded to attacker-controlled GitHub repositories within victims’ own accounts, named following the pattern s1ngularity-repository-NNNN with a numeric suffix. Thousands of such repositories were observed publicly, containing a treasure trove of stolen credentials and sensitive information.
Token Utility
The stolen credentials served as the foundation for a second phase of the attack. The attacker used compromised GitHub tokens to make victims’ private repositories public, renaming them to the pattern s1ngularity-repository followed by five random characters. Between August 28 at 4PM UTC and August 29 at 2AM UTC, this automated campaign impacted over 400 users and organizations, exposing more than 5,500 private repositories.
GitHub intervened on August 27 at 9AM UTC by disabling all attacker-created repositories, but the exposure window of approximately eight hours was sufficient for the data to be downloaded by the original attacker and other malicious actors. The trivially decodable base64 encoding means that all exfiltrated data should be treated as effectively public.
Beyond GitHub tokens, researchers observed dozens of valid cloud credentials and npm tokens among the stolen data, along with approximately 20,000 additional sensitive files. The malware also harvested npm and GitHub credentials directly from developer machines and even appended a shutdown command to shell configuration files, causing systems to power down on new terminal sessions.
Potential Bottlenecks
The attack’s success relied on several systemic weaknesses in the open source supply chain. The compromised packages lacked provenance—a mechanism that allows cryptographic verification of package origin and integrity. Without provenance enforcement, malicious packages published with stolen credentials are indistinguishable from legitimate releases.
The GitHub Actions workflow vulnerability exploited the pull_request_target trigger, which provides elevated GITHUB_TOKEN permissions to external pull requests. Combined with unsanitized pull request titles that enabled code injection, this created a direct pathway for attackers to inject arbitrary commands into the CI/CD pipeline without requiring direct repository access.
The weaponization of AI coding agents also exposed a fundamental tension in the design of AI-assisted development tools. The dangerous flags that bypass permission checks exist because automation workflows require them, but their availability means that any code executing on a developer’s machine can potentially hijack the AI assistant’s capabilities for malicious purposes.
Final Verdict
The s1ngularity attack represents a paradigm shift in supply chain security. By turning AI coding assistants against their own users, the attackers demonstrated that the growing ecosystem of AI development tools introduces new attack surfaces that traditional security models are not equipped to handle. With Bitcoin trading at approximately $111,222 and the crypto ecosystem firmly in the crosshairs of sophisticated threat actors, developers must recognize that their tools can be weaponized as easily as their code. The lesson is clear: in the age of AI-assisted development, the boundary between helpful tool and attack vector is thinner than anyone imagined.
Disclaimer: This article is for informational purposes only and does not constitute cybersecurity advice. If you installed affected Nx versions, rotate your credentials immediately and check for s1ngularity-repository repositories in your GitHub account.
weaponizing AI coding agents to steal secrets is a new attack vector. claude, gemini, q CLI all targeted. the attack surface of dev tools is expanding fast
pull_request_target giving write permissions to PR code is a GitHub Actions footgun that keeps happening. AI just made the exploit payload easier to generate
Bear markets are for building — and builders are delivering
The pace of innovation in crypto continues to surprise me
The gap between crypto and TradFi is narrowing fast
using claude code to generate the malicious CI config is the part that should scare every dev team. your AI assistant can be weaponized against you
the scary part is the PR looked normal on review. Claude Code generated valid-looking CI config with a subtle exfil webhook buried in env vars. human reviewers rubber stamped it
1000+ GitHub tokens exposed because of one PR. if you touched nx between versions 20.9.0 and 21.8.0 you were cooked. supply chain attacks are getting surgical