npm supply‑chain led to AWS takeover

The initial Nx “s1ngularity” supply‑chain injections on August 26, 2025 embedded a postinstall credential stealer called QUIETVAULT reported) that uploaded harvested tokens and system data to attacker‑created public GitHub repositories following the s1ngularity‑repository naming pattern, with GitGuardian counting 2,349 stolen credentials from 1,079 developer systems. blog.gitguardian.com Operators used the open‑source Synacktiv tool Nord Stream to enumerate CI/CD secrets inside compromised GitHub organizations documented), discovered a GitHub→AWS OIDC trust lacking a scoped "sub" claim flagged), and leveraged an overly permissive Github‑Actions‑CloudFormation role to deploy a CloudFormation stack with CAPABILITY_NAMED_IAM/CAPABILITY_IAM that created a new IAM role with AdministratorAccess. Post‑compromise activity included S3 data exfiltration, targeted destruction of production resources, and publication of internal repositories to the public internet as part of the impact phase observed); security advisories list 19 malicious Nx package versions (for example @nx versions 20.9.0–21.8.0 and several @nx/* plugins) released during the August 2025 exposure window. truesec.com Immediate supply‑chain tooling responses landed this week: Manifest publicly announced a C/C++ SBOM generator on March 12, 2026 to address unmanaged C/C++ dependency blind spots announced), while Java/JVM SBOM guides and CycloneDX tooling (cdxgen) remain available for Maven/Gradle and Spring Boot workflows to automate BOM generation inside CI/CD pipelines. sbomgenerator.com