CVE-2025-10894

Summary

Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts.

Affected Software

VendorProductVersion RangeStatus
20.12.0affected
21.8.0affected
21.7.0affected
20.11.0affected
21.6.0affected
20.10.0affected
20.9.0affected
21.5.0affected
20.9.0affected
21.5.0affected
3.2.0affected
21.5.0affected
20.9.0affected
21.5.0affected
3.2.0affected
20.9.0affected
21.5.0affected
20.9.0affected
21.5.0affected

Weaknesses

  • CWE-506: Embedded Malicious Code

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

Additional References

References