{"id":"MAL-2025-41443","summary":"Malicious code in nx (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: google-open-source-security (94e241aa8202f641d66991ca134d9c18bf1fecbf8e89c2f2052aa2a7a41e5148)\nThe nx project and associated plugins were compromised via a vulnerable\nGitHub workflow that allowed code injection and the theft of an NPM token.\n","aliases":["CVE-2025-10894","GHSA-cxm3-wv7p-598c","MAL-2025-41436","MAL-2025-41437","MAL-2025-41438","MAL-2025-41439","MAL-2025-41440","MAL-2025-41441","MAL-2025-41442"],"modified":"2025-09-25T16:57:06.828602Z","published":"2025-08-27T23:12:13Z","database_specific":{"malicious-packages-origins":[{"source":"google-open-source-security","modified_time":"2025-08-27T23:12:13Z","versions":["20.9.0","20.10.0","20.11.0","20.12.0","21.5.0","21.6.0","21.7.0","21.8.0"],"import_time":"2025-08-27T23:15:00.562772Z","sha256":"94e241aa8202f641d66991ca134d9c18bf1fecbf8e89c2f2052aa2a7a41e5148"}]},"references":[{"type":"ADVISORY","url":"https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c"},{"type":"REPORT","url":"https://github.com/nrwl/nx/issues/32522"}],"affected":[{"package":{"name":"nx","ecosystem":"npm","purl":"pkg:npm/nx"},"versions":["20.9.0","20.10.0","20.11.0","20.12.0","21.5.0","21.6.0","21.7.0","21.8.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nx/MAL-2025-41443.json"}}],"schema_version":"1.7.3"}