{"id":"MAL-2025-41439","summary":"Malicious code in @nx/js (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: google-open-source-security (3c2a892d723eab92005e851787f5a482f8d1a64259e6dda10ee1d097c0123a84)\nThe nx project and associated plugins were compromised via a vulnerable\nGitHub workflow that allowed code injection and the theft of an NPM token.\n","aliases":["CVE-2025-10894","GHSA-cxm3-wv7p-598c","MAL-2025-41436","MAL-2025-41437","MAL-2025-41438","MAL-2025-41440","MAL-2025-41441","MAL-2025-41442","MAL-2025-41443"],"modified":"2025-09-25T16:57:06.828602Z","published":"2025-08-27T23:12:13Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2025-08-27T23:12:13Z","import_time":"2025-08-27T23:15:00.587113Z","sha256":"3c2a892d723eab92005e851787f5a482f8d1a64259e6dda10ee1d097c0123a84","source":"google-open-source-security","versions":["20.9.0","21.5.0"]}]},"references":[{"type":"ADVISORY","url":"https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c"},{"type":"REPORT","url":"https://github.com/nrwl/nx/issues/32522"}],"affected":[{"package":{"name":"@nx/js","ecosystem":"npm","purl":"pkg:npm/%40nx/js"},"versions":["20.9.0","21.5.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@nx/js/MAL-2025-41439.json"}}],"schema_version":"1.7.3"}