2396282 – (CVE-2025-10894) CVE-2025-10894 nx: nx/devkit: Malicious versions of nx and plugins published to npm

Bug 2396282 (CVE-2025-10894) - CVE-2025-10894 nx: nx/devkit: Malicious versions of nx and plugins published to npm

Summary: CVE-2025-10894 nx: nx/devkit: Malicious versions of nx and plugins published ...

Keywords:
Status:	NEW
Alias:	CVE-2025-10894
Deadline:	2025-09-23
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-09-17 22:15 UTC by OSIDB Bzimport
Modified:	2025-09-24 14:45 UTC (History)
CC List:	37 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-09-17 22:15:18 UTC

Malicious versions of the nx package, as well as some supporting plugin packages, were published to npm, containing code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts.

Note You need to log in before you can comment on or make changes to this bug.

alcohan
caswilli
dhanak
drosa
dsimansk
gparvin
haoli
hkataria
jajackso
jbalunas
jcammara
jmitchel
jneedle
kaycoth
kegrant
kingland
koliveir
kshier
kverlaen
mabashia
matzew
mnovotny
njean
owatkins
pahickey
pbraun
rhaigner
sausingh
security-response-team
shvarugh
simaishi
smcdonal
stcannon
teagle
tfister
thavo
yguenane