Summary
Malicious versions of the nx package, as well as some supporting plugin packages, were published to npm, containing code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts.
Immediate Actions Required
For all users, check if you were impacted
- Check your account's audit logs (https://github.com/settings/security-log?q=action%3Arepo.create) to see if a repo containing s1ngularity-repository in the name was published to your Github account. If so your credentials were likely compromised. Unfortunately, Github may have proactively deleted the repo for you. To be safe, rotate any credentials such as Github, NPM, and anything that may have been in your environment variables.
- Check your local machine to see if there is a file at
/tmp/inventory.txt, this file will contain a list of files which the malware probably read from. If this file exists, you have been affected.
- Check this https://github.com/[GithubSlug]?tab=repositories&q=s1ngularity-repository to see if you have a repo containing s1ngularity-repository remains on your Github account. If you do not have the repository available to you anymore, reach out to Github support and they can provide you the contents of the repository.
- Download the file in the repo for your own records.
- Then, remove the repo from GitHub.
- E-mail security@nrwl.io and we will instruct you on how to decode the file so you are aware what information was leaked
- Rotate your credentials and tokens on all of your accounts.
Rotate your Github token
In order to rotate your Github token, follow these steps:
- Visit https://github.com/settings/connections/applications/178c6fc778ccc68e1d6a. This is the setting for the Github app used by the
gh CLI to authenticate itself.
- Revoke access to that app. This will invalidate the OLD token which may have been compromised.
- The next time you run the
gh CLI,...