Embeded Malicious Code Affecting @nx/eslint package, versions =21.5.0

@nx/eslint is an AI-first build platform that connects everything from your editor to CI. Helping you deliver fast, without breaking things.

Affected versions of this package are vulnerable to Embeded Malicious Code through a malicious postinstall script that triggers a file named telemetry.js. A malicious actor compromised the credentials of one of the maintainers, which allowed the attacker to publish tampered versions of the package to npm.

The malicious code collects sensitive information from the user's system, including cryptocurrency wallets, development credentials like GitHub tokens, npm tokens, and SSH keys. It then exfiltrates this data by creating a public GitHub repository named s1ngularity-repository-* and uploading the stolen information to it. To cover its tracks and disrupt the user's system, the script adds a command to the user's shell configuration files (.bashrc and .zshrc) that attempts to shut down the system every time a new terminal session is opened.

Notes:

• The malicious versions and their contents have been removed from the official package manager.
• The maintainers have provided additional information about the compromise in issues 32522 and 32523
• The maintainers have published IoCs as well as specific remediation advice on GitHub
• The issue is currently under investigation, and this advisory will be updated as new information is discovered.

• GitHub Advisory
• GitHub Issue
• GitHub Issue
• Snyk Blog