The NX GitHub Attack: What Happened and How Your Business Can Avoid Being Next

A Quick Recap of the Attack

On 16 September 2025, attackers exploited a GitHub Actions injection vulnerability to steal Nx’s NPM publishing token. With it, they published malicious packages for around four hours before the breach was contained.

If this sounds familiar, it’s because Nx was hit just weeks earlier on 27 August, when 147 packages,including some linked to CrowdStrike,were compromised. That attack was bad enough. This time, though, the malware had worm-like behaviour and did four specific things:

• 
  

• Ran TruffleHog and queried cloud metadata endpoints to gather secrets.

• Stole those secrets and published them to GitHub publicly.

• Attempted to create a new GitHub Action to exfiltrate data through a malicious webhook.

• Iterated through repositories the user had access to and flipped them from private to public.

In plain English: the attackers didn’t just want a quick smash-and-grab, they were trying to build persistence, spread, and maximise the blast radius.

Why This Matters for Startups and Scaleups

Even if you don’t use Nx directly, this type of attack is a clear reminder: if attackers can compromise tokens, they can impersonate you, exfiltrate your data, and potentially leak or corrupt code. For small and growing businesses, one poisoned dependency or exposed repo could undermine customer trust overnight.

These incidents highlight a broader trend: identity and token theft is now one of the easiest ways for attackers to bypass all your “perimeter” defenses. Firewalls won’t save you if your access keys are already in an attacker’s hands.

Practical Preventative Measures

Least-Privilege Access

Give every account, service, and token the minimum rights it actually needs. Nothing more. Review those privileges regularly and remove access that’s no longer required.

Strong Identity and Token Hygiene

Use short-lived, tightly scoped tokens. Rotate secrets often. Require MFA or hardware keys for all privileged access. Treat credentials like perishable goods,they should never sit around unused or unrotated.

Zero-Trust Segmentation

Don’t let a breach in one area open the whole house. Segment your systems so lateral movement is difficult. If one component falls, it should feel like hitting a wall, not opening a hallway.

Third-Party Vetting and Monitoring

Audit the tools, services, and integrations you rely on. Make sure vendors follow strong security practices and hold them to account. Monitor their activity in your environment, just as you would your own team’s.

Incident Response and Threat Detection Readiness

Set up logging and anomaly detection, especially for odd token usage or unusual connections. Run tabletop exercises so the team knows what to do when the alarm bells ring. A breach isn’t the time to test your plan for the first time.

Conclusion

The NX breach is another reminder that modern cyberattacks rarely start with a brute-force break-in. More often, they succeed by tricking someone into handing over the keys or by finding a weakly protected token. For founders and operators, the takeaway is simple: security hygiene is not optional. You don’t need a full security team to make progress,just discipline, clear processes, and regular reviews.

Think of it as housekeeping. If you sweep up little and often, the mess never piles high enough to become unmanageable. Do the same with access controls, credentials, and monitoring, and you’ll make life a lot harder for attackers, and a lot safer for your business.