{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10894", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2025-09-23T16:30:03.636Z", "datePublished": "2025-09-24T21:20:31.242Z", "dateUpdated": "2025-11-20T07:26:10.947Z"}, "containers": {"cna": {"title": "Nx: nx/devkit: malicious versions of nx and plugins published to npm", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts."}], "affected": [{"versions": [{"status": "affected", "version": "20.12.0"}, {"status": "affected", "version": "21.8.0"}, {"status": "affected", "version": "21.7.0"}, {"status": "affected", "version": "20.11.0"}, {"status": "affected", "version": "21.6.0"}, {"status": "affected", "version": "20.10.0"}, {"status": "affected", "version": "20.9.0"}, {"status": "affected", "version": "21.5.0"}], "packageName": "nx", "collectionURL": "https://github.com/nrwl/nx", "defaultStatus": "unaffected"}, {"versions": [{"status": "affected", "version": "20.9.0"}, {"status": "affected", "version": "21.5.0"}], "packageName": "nx/devkit", "collectionURL": "https://github.com/nrwl/nx", "defaultStatus": "unaffected"}, {"versions": [{"status": "affected", "version": "3.2.0"}], "packageName": "nx/enterprise-cloud", "collectionURL": "https://nx.dev/powerpack", "defaultStatus": "unaffected"}, {"versions": [{"status": "affected", "version": "21.5.0"}], "packageName": "nx/eslint", "collectionURL": "https://github.com/nrwl/nx", "defaultStatus": "unaffected"}, {"versions": [{"status": "affected", "version": "20.9.0"}, {"status": "affected", "version": "21.5.0"}], "packageName": "nx/js", "collectionURL": "https://github.com/nrwl/nx", "defaultStatus": "unaffected"}, {"versions": [{"status": "affected", "version": "3.2.0"}], "packageName": "nx/key", "collectionURL": "https://github.com/nrwl/nx", "defaultStatus": "unaffected"}, {"versions": [{"status": "affected", "version": "20.9.0"}, {"status": "affected", "version": "21.5.0"}], "packageName": "nx/node", "collectionURL": "https://github.com/nrwl/nx", "defaultStatus": "unaffected"}, {"versions": [{"status": "affected", "version": "20.9.0"}, {"status": "affected", "version": "21.5.0"}], "packageName": "nx/workspace", "collectionURL": "https://github.com/nrwl/nx", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Multicluster Global Hub", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "multicluster-globalhub/multicluster-globalhub-grafana-rhel9", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:multicluster_globalhub"]}, {"vendor": "Red Hat", "product": "OpenShift Serverless", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openshift-serverless-1/kn-backstage-plugins-eventmesh-rhel8", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:serverless:1"]}, {"vendor": "Red Hat", "product": "Red Hat Advanced Cluster Management for Kubernetes 2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhacm2/acm-grafana-rhel9", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:acm:2"]}, {"vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "automation-gateway", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:ansible_automation_platform:2"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-10894", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/supply-chain-attacks-NPM-packages"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396282", "name": "RHBZ#2396282", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c"}, {"url": "https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware"}, {"url": "https://www.wiz.io/blog/s1ngularity-supply-chain-attack"}], "datePublic": "2025-09-23T16:51:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-506", "description": "Embedded Malicious Code", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-506: Embedded Malicious Code", "timeline": [{"lang": "en", "time": "2025-09-17T21:01:13.505Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-09-23T16:51:00.000Z", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-11-20T07:26:10.947Z"}}, "adp": [{"references": [{"url": "https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c", "tags": ["exploit"]}, {"url": "https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-25T13:51:05.714060Z", "id": "CVE-2025-10894", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-25T13:51:09.059Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10894", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-09-25T13:51:05.714060Z"}}}], "references": [{"url": "https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c", "tags": ["exploit"]}, {"url": "https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-25T13:50:58.955Z"}}], "cna": {"title": "Nx: nx/devkit: malicious versions of nx and plugins published to npm", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"versions": [{"status": "affected", "version": "20.12.0"}, {"status": "affected", "version": "21.8.0"}, {"status": "affected", "version": "21.7.0"}, {"status": "affected", "version": "20.11.0"}, {"status": "affected", "version": "21.6.0"}, {"status": "affected", "version": "20.10.0"}, {"status": "affected", "version": "20.9.0"}, {"status": "affected", "version": "21.5.0"}], "packageName": "nx", "collectionURL": "https://github.com/nrwl/nx", "defaultStatus": "unaffected"}, {"versions": [{"status": "affected", "version": "20.9.0"}, {"status": "affected", "version": "21.5.0"}], "packageName": "nx/devkit", "collectionURL": "https://github.com/nrwl/nx", "defaultStatus": "unaffected"}, {"versions": [{"status": "affected", "version": "3.2.0"}], "packageName": "nx/enterprise-cloud", "collectionURL": "https://nx.dev/powerpack", "defaultStatus": "unaffected"}, {"versions": [{"status": "affected", "version": "21.5.0"}], "packageName": "nx/eslint", "collectionURL": "https://github.com/nrwl/nx", "defaultStatus": "unaffected"}, {"versions": [{"status": "affected", "version": "20.9.0"}, {"status": "affected", "version": "21.5.0"}], "packageName": "nx/js", "collectionURL": "https://github.com/nrwl/nx", "defaultStatus": "unaffected"}, {"versions": [{"status": "affected", "version": "3.2.0"}], "packageName": "nx/key", "collectionURL": "https://github.com/nrwl/nx", "defaultStatus": "unaffected"}, {"versions": [{"status": "affected", "version": "20.9.0"}, {"status": "affected", "version": "21.5.0"}], "packageName": "nx/node", "collectionURL": "https://github.com/nrwl/nx", "defaultStatus": "unaffected"}, {"versions": [{"status": "affected", "version": "20.9.0"}, {"status": "affected", "version": "21.5.0"}], "packageName": "nx/workspace", "collectionURL": "https://github.com/nrwl/nx", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:multicluster_globalhub"], "vendor": "Red Hat", "product": "Multicluster Global Hub", "packageName": "multicluster-globalhub/multicluster-globalhub-grafana-rhel9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:serverless:1"], "vendor": "Red Hat", "product": "OpenShift Serverless", "packageName": "openshift-serverless-1/kn-backstage-plugins-eventmesh-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:acm:2"], "vendor": "Red Hat", "product": "Red Hat Advanced Cluster Management for Kubernetes 2", "packageName": "rhacm2/acm-grafana-rhel9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:ansible_automation_platform:2"], "vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2", "packageName": "automation-gateway", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-17T21:01:13.505000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-09-23T16:51:00+00:00", "value": "Made public."}], "datePublic": "2025-09-23T16:51:00.000Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-10894", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/supply-chain-attacks-NPM-packages"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396282", "name": "RHBZ#2396282", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c"}, {"url": "https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware"}, {"url": "https://www.wiz.io/blog/s1ngularity-supply-chain-attack"}], "descriptions": [{"lang": "en", "value": "Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-506", "description": "Embedded Malicious Code"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-11-20T07:26:10.947Z"}, "x_redhatCweChain": "CWE-506: Embedded Malicious Code"}}, "cveMetadata": {"cveId": "CVE-2025-10894", "state": "PUBLISHED", "dateUpdated": "2025-11-20T07:26:10.947Z", "dateReserved": "2025-09-23T16:30:03.636Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2025-09-24T21:20:31.242Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts."}, {"lang": "es", "value": "Se insert\u00f3 c\u00f3digo malicioso en el paquete Nx (sistema de compilaci\u00f3n) y varios plugins relacionados. El paquete manipulado se public\u00f3 en el registro de software npm, a trav\u00e9s de un ataque a la cadena de suministro. Las versiones afectadas contienen c\u00f3digo que escanea el sistema de archivos, recopila credenciales y las publica en GitHub como un repositorio bajo las cuentas de los usuarios."}], "id": "CVE-2025-10894", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2025-09-24T22:15:35.423", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2025-10894"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/supply-chain-attacks-NPM-packages"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396282"}, {"source": "secalert@redhat.com", "url": "https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c"}, {"source": "secalert@redhat.com", "url": "https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware"}, {"source": "secalert@redhat.com", "url": "https://www.wiz.io/blog/s1ngularity-supply-chain-attack"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-506"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"bugzilla": {"description": "nx: nx/devkit: Malicious versions of nx and plugins published to npm", "id": "2396282", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396282"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-506", "details": ["Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts."], "name": "CVE-2025-10894", "package_state": [{"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Not affected", "package_name": "multicluster-globalhub/multicluster-globalhub-grafana-rhel9", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "openshift-serverless-1/kn-backstage-plugins-eventmesh-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/acm-grafana-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "automation-gateway", "product_name": "Red Hat Ansible Automation Platform 2"}], "public_date": "2025-09-23T16:51:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-10894\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-10894\nhttps://access.redhat.com/security/supply-chain-attacks-NPM-packages\nhttps://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware\nhttps://www.wiz.io/blog/s1ngularity-supply-chain-attack"], "statement": "No Red Hat products are affected. The malicious versions were blocked from being introduced into any internal Red Hat code repositories. The impact is rated Important due to the potential for information leakage, including sensitive account credentials. This attack relied upon AI command-line (CLI) tools which are designed to be used by software developers. For customers using Red Hat systems in production, the presence of such development tools is not expected, further limiting risk.", "threat_severity": "Important"}

{}