CVE-2025-10894 is a critical supply-chain vulnerability discovered in the Nx build system package and several related plugins distributed via the npm software registry. Attackers inserted malicious code into these packages, which were then published and made available for download by developers. The embedded malware executes upon user interaction, scanning the local file system to collect sensitive credentials such as environment variables, configuration files, and possibly authentication tokens. It then exfiltrates this data by creating repositories on GitHub under the compromised user's account, effectively leaking credentials to an attacker-controlled location. This attack vector leverages the trust developers place in npm packages, making it a potent vector for widespread compromise. The vulnerability affects multiple versions of Nx, including 20.9.0 through 21.8.0, and does not require prior authentication or elevated privileges to exploit. The CVSS v3.1 score of 9.6 indicates a critical severity with network attack vector, low attack complexity, no privileges required, but user interaction needed, and a scope change that impacts confidentiality, integrity, and availability. Although no known exploits have been reported in the wild yet, the potential impact is severe due to the nature of credential theft and the ability to propagate further attacks. The supply-chain nature complicates detection and mitigation, as the malicious code is embedded in legitimate packages widely used in development environments.

For European organizations, the impact of CVE-2025-10894 is significant, especially for those relying on the Nx build system in their software development lifecycle. Credential theft can lead to unauthorized access to internal systems, cloud environments, and code repositories, enabling attackers to conduct further lateral movement, data exfiltration, or sabotage. The creation of GitHub repositories under compromised accounts can also facilitate the spread of malicious code or leak proprietary information. This vulnerability threatens the confidentiality of sensitive data, the integrity of software builds, and the availability of development resources. Organizations with automated CI/CD pipelines that integrate Nx are particularly vulnerable, as compromised credentials could allow attackers to manipulate build artifacts or inject further malicious code. The supply-chain attack vector also undermines trust in open-source ecosystems, potentially causing broader operational disruptions. European companies in sectors such as finance, telecommunications, and technology, which heavily depend on secure software development practices, face heightened risks of reputational damage, regulatory penalties under GDPR, and financial losses.

1. Immediately audit all development environments to identify usage of affected Nx versions (20.9.0 through 21.8.0) and related plugins. 2. Replace compromised packages by upgrading to patched versions once they are released by the maintainers; if unavailable, consider temporarily removing Nx dependencies or using vetted package versions from internal registries. 3. Implement strict npm package policies, including the use of package integrity verification (e.g., npm audit, SRI hashes) and restricting package installation to trusted sources only. 4. Monitor GitHub accounts associated with development teams for unusual repository creation or activity that could indicate credential exfiltration. 5. Enforce multi-factor authentication (MFA) on GitHub and other critical accounts to reduce the impact of stolen credentials. 6. Conduct thorough credential rotation for any secrets or tokens that may have been exposed. 7. Enhance endpoint detection and response (EDR) capabilities to identify suspicious file system scanning or network activity related to this threat. 8. Educate developers about the risks of supply-chain attacks and the importance of verifying package sources and updates. 9. Consider isolating build environments to limit the scope of credential exposure. 10. Collaborate with npm and Nx maintainers for timely updates and threat intelligence sharing.