CVE-2025-10894

CRITICAL 9.6

Nx: nx/devkit: malicious versions of nx and plugins published to npm

CVSS Score

9.6

EPSS Score

0.0%

EPSS Percentile

0th

Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts.

CWE	CWE-506
Published	Sep 24, 2025
Last Updated	Nov 20, 2025

Stay Ahead of the Next One

Get instant alerts for

Be the first to know when new critical vulnerabilities are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Red Hat / Multicluster Global Hub

All versions affected

Red Hat / OpenShift Serverless

All versions affected

Red Hat / Red Hat Advanced Cluster Management for Kubernetes 2

All versions affected

Red Hat / Red Hat Ansible Automation Platform 2

All versions affected

References

NVD ↗ CVE.org ↗ EPSS Data ↗

access.redhat.com: https://access.redhat.com/security/cve/CVE-2025-10894 access.redhat.com: https://access.redhat.com/security/supply-chain-attacks-NPM-packages bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2396282 github.com: https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c stepsecurity.io: https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware wiz.io: https://www.wiz.io/blog/s1ngularity-supply-chain-attack