CVE-2025-10894 is a critical supply-chain vulnerability affecting the Nx build system package and several related plugins distributed via the npm software registry. The compromised versions, including 20.9.0 through 21.8.0, contain embedded malicious code that performs unauthorized scanning of the victim's file system to harvest sensitive credentials. These credentials are then exfiltrated by posting them to a GitHub repository created under the victim's own GitHub account, effectively leveraging the victim's identity to conceal the data theft. This attack vector exploits the trust developers place in widely used build tools and their dependencies, making it a potent threat to software development pipelines. The vulnerability has a CVSS 3.1 score of 9.6, reflecting its critical severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component. The impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H), meaning the attacker can fully compromise sensitive data, alter system behavior, and disrupt operations. Although no known exploits are reported in the wild yet, the nature of the vulnerability and the widespread use of Nx in modern JavaScript/TypeScript development environments make exploitation a significant risk. The malicious code's behavior of posting stolen credentials to GitHub under the victim's account is particularly insidious, as it may evade detection by traditional network monitoring and complicate incident response efforts. This supply-chain attack highlights the critical need for rigorous package vetting and monitoring in software development workflows.

For European organizations, especially those engaged in software development or relying on JavaScript/TypeScript build systems, this vulnerability poses a severe risk. The exfiltration of credentials can lead to unauthorized access to internal systems, source code repositories, and potentially sensitive customer data. The use of victim accounts to post stolen data to GitHub can delay detection and complicate attribution, increasing the window of opportunity for attackers to escalate privileges or move laterally within networks. Given the criticality of the vulnerability and the high CVSS score, exploitation could result in significant operational disruption, intellectual property theft, and reputational damage. Organizations in sectors such as finance, technology, and critical infrastructure, which often have stringent compliance requirements under GDPR and other regulations, may face legal and regulatory consequences if breaches occur. Additionally, the supply-chain nature of the attack means that even organizations with strong perimeter defenses are vulnerable if their development environments consume compromised packages. This threat underscores the importance of securing the software supply chain and monitoring developer tools and dependencies.

To mitigate this threat, European organizations should implement the following specific measures: 1) Immediately identify and upgrade all affected Nx package versions to patched releases once available, or temporarily remove the affected packages from build environments until a fix is confirmed. 2) Employ strict package integrity verification mechanisms such as npm package signing and use tools like npm audit or third-party supply-chain security scanners to detect tampered packages. 3) Restrict developer environment network access to limit unauthorized outbound connections, especially to external services like GitHub, unless explicitly required and monitored. 4) Implement robust credential management practices, including the use of ephemeral tokens, environment variables, and secrets management tools, to minimize the exposure of sensitive credentials on local file systems. 5) Monitor GitHub accounts for unusual repository creation or data uploads, leveraging GitHub audit logs and alerts for suspicious activity. 6) Educate development teams about the risks of supply-chain attacks and encourage vigilance when updating dependencies. 7) Consider adopting reproducible builds and locked dependency versions to reduce the risk of automatic ingestion of malicious updates. 8) Integrate runtime detection tools that can identify anomalous file system scanning or unexpected network traffic originating from build tools. These targeted actions go beyond generic advice by focusing on the unique characteristics of this supply-chain compromise and the specific behaviors of the malicious code.