CVE-2025-10894 is a critical supply-chain vulnerability affecting the Nx build system package and several related plugins distributed via the npm software registry. The compromised versions, including 20.9.0 through 21.8.0, contain embedded malicious code that performs unauthorized scanning of the victim's file system to harvest sensitive credentials. These credentials are then exfiltrated by posting them to a GitHub repository created under the user's own account, leveraging their authentication context. This attack vector exploits the trust developers place in widely used build tools and npm packages, enabling attackers to gain access to confidential information such as API keys, tokens, and passwords without requiring prior authentication or elevated privileges. The vulnerability has a CVSS v3.1 base score of 9.6, reflecting its critical nature due to network attack vector, low attack complexity, no privileges required, user interaction needed, and a scope change that impacts confidentiality, integrity, and availability at a high level. Although no known exploits have been observed in the wild yet, the potential for widespread impact is significant given the popularity of Nx in modern JavaScript and TypeScript development workflows. The malicious code’s capability to exfiltrate data to GitHub repositories under the victim’s account also complicates detection and attribution, as it abuses legitimate platforms and user credentials. This vulnerability highlights the risks inherent in software supply chains, where a single compromised package can propagate malicious activity across numerous development environments and production systems.

For European organizations, the impact of CVE-2025-10894 could be severe, especially for those heavily reliant on JavaScript/TypeScript development and continuous integration pipelines using Nx. The unauthorized credential harvesting can lead to widespread data breaches, exposing sensitive corporate secrets, intellectual property, and internal infrastructure credentials. This can facilitate further lateral movement within networks, unauthorized access to cloud environments, and compromise of critical business applications. The exfiltration method via GitHub repositories also risks leaking proprietary code or configuration files, potentially damaging competitive advantage and violating data protection regulations such as GDPR. Additionally, the compromise of developer environments can undermine software integrity, leading to the injection of malicious code into production builds and subsequent supply chain contamination. The reputational damage and regulatory penalties resulting from such breaches could be substantial for European companies, particularly in sectors like finance, telecommunications, and government where software supply chain security is paramount.

To mitigate this threat, European organizations should immediately audit their use of Nx packages and plugins, ensuring they upgrade to patched versions once available. Until patches are released, consider temporarily removing or isolating affected Nx versions from build environments. Implement strict dependency management policies, including verifying package integrity via checksums or signatures and using tools like npm’s audit and supply chain security scanners. Employ runtime monitoring to detect unusual file system access patterns and outbound network connections from developer machines and CI/CD pipelines. Enforce the principle of least privilege for developer accounts and GitHub tokens to limit the impact of credential theft. Additionally, enable multi-factor authentication (MFA) on all developer and service accounts to reduce the risk of account takeover. Organizations should also conduct thorough incident response drills focused on supply chain compromise scenarios and maintain visibility into repository creation and data exfiltration activities on GitHub. Finally, consider adopting software bill of materials (SBOM) practices to track and quickly respond to vulnerabilities in third-party dependencies.