Embedded Malicious Code
CVE-2025-10894
Summary
Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts.
- LOW
- NETWORK
- HIGH
- CHANGED
- REQUIRED
- NONE
- HIGH
- HIGH
CWE-506 - Embedded Malicious Code
The application contains code that appears to be malicious in nature.
References
Advisory Timeline
- Published
