Attack vector: stolen credentials, malicious packages

On August 26, 2025, attackers exploited a GitHub Actions injection vulnerability in the Nx repository to steal an npm publishing token. Using those credentials, the threat actors published malicious versions of the `nx` package and related dependencies to npm—the JavaScript package registry used by millions of developers.

The compromised packages contained code designed to target AI coding assistants actively used during development. Rather than launching a traditional malware payload, the attack took a novel approach: it injected prompt-injection payloads directly into the execution environment of AI-assisted coding tools, attempting to manipulate them into performing unauthorized actions.

Weaponizing autonomous agents

The malicious npm packages checked for the presence of AI coding tools on infected systems and attempted to use those tools to exfiltrate sensitive data. This represents a shift in attack methodology—instead of stealing data directly, the attacker delegated the theft to an autonomous agent (the AI assistant) by poisoning its input through a prompt-injection attack.

The technique leverages a core feature of modern AI coding agents: their ability to execute code, read files, and interact with the development environment with minimal friction. A prompt-injection payload, if successfully crafted, could convince an AI assistant that data exfiltration is a legitimate part of the developer's request, bypassing typical security assumptions.

Scope and discovery

A separate variant, designated Shai-Hulud, later infected multiple npm repositories and jumped to widely used JavaScript and Python packages, broadening the attack surface. The discovery and reporting of these incidents occurred through coordinated security research, though the exact timeline and primary-source attribution remain limited in publicly available reports.

Security researchers identified the attack pattern and confirmed the presence of malicious code in multiple package versions, establishing this as a verified security incident rather than a theoretical threat. The attack demonstrates that autonomous systems—in this case, AI-assisted development tools—can be weaponized when their input sources are compromised.

Implications for agent security

This incident highlights a critical vulnerability in the AI-assisted development ecosystem: prompt injection at the supply-chain level. As AI agents become more integrated into build pipelines, package managers, and deployment workflows, they become attractive targets for attackers seeking indirect code execution.

The attack does not rely on flaws in the AI model itself, but rather on the fundamental assumption that code retrieved from trusted package registries will not contain adversarial inputs designed to manipulate AI behavior. The August 2025 npm Nx incident proves that assumption insufficient when package registries themselves are compromised.

Sources

Verified by Perplexity. Authoritative sources below.

dev.to

bankinfosecurity.com

kusari.dev

arxiv.org

<!-- AGENTRY_FACT_CHECKED -->