Threat actors published modified versions of the Nx package and some of its supporting libraries to the npm registry with the goal of exfiltrating developer and service credentials. Builds on Vercel are safe from this vulnerability by default. Visit the GitHub advisory to check if your local or other CI environments are impacted. Link to heading Summary A malicious version of the Nx package and some Nx ecosystem libraries were published to the npm registry using a stolen npm token, starting at 6:32 PM EDT on August 26, 2025. The compromised packages were removed from the npm registry by the Nx team, ending at 10:44 PM EDT on the same day. The affected packages contained a postinstall script that scanned the user's file system using an LLM to exfiltrate secrets and credentials when installing an affected package. Exfiltrated secrets were posted as an encoded string into a GitHub repo that the script would create in the victim's GitHub account.…