How to identify malicious NX versions in your code base

Recently it happened again: A sophisticated supply chain attack was initiated by some malicious actors. The nx-team and several security researchers (1, 2)already reported about this incident.  Find here a quick summary:

What has happened?

nx is a package with a bit more than 23 mil downloads on NPM package registry.  It comprises of several plugins developers use to simplify code management activities, such as some utility functions on writing files, updating configuration (devkit), manage node itself (node) or liniting JavaScript and Typescript code (lint).

The versions around 20.9.0 and 21.5.0 respectively 3.2.0 (key & enterprise-cloud) were maliciously modified. They executed an AI based search assessing local file structures of the developer’s workspace and pulled all sorts of secrets together. These were then published into a public git-repository using the develoepr’s git credentials.

What to do about it?

The very first step would be to identify whether someone in your organization is using the impacted nx tools. Given you are using TrustSource, it may be as simple as opening  the `Component impact report` and search for the impacted components in the given versions, e.g. @nx/devkit in version 21.5.0 or 20.9.0. TrustSource will list you all projects where exactly this component-versions are in the list of transitive dependencies.

This is a good example, why transitive dependencies are so important. nx has about 663 dependent projects, or in other words: there are 663 other tools using nx tools. You may imagine how fast and wide the spread may be.

However, given a project is using the impacted versions, the developers must consider their complete CI/CD chain being compromised. Every developer should check whether they have a repository with `s1ngularity` in its name published throughout the last 2-3 weeks. All credentials you will find in this repository must be accepted as leaked.

But before you are going to replace them, make sure to clean up your workspace!

To get more insights and details of how to cleanup your workspace read this article.

What to learn from it?

We are glad as we are not using this tooling. But it has two interesting learnings for us:

a) So far we were very much focused on the delivery artifact. This is why ts-scan for example, as default, is not including dev-dependencies. To include dev dependencies in your scan, you will need to add the npm:includeDevDependencies parameter. If you never did run a scan using these parameters, it is most likely  that the TrustSource component impact report from above will not show you any findings, despite the tools may be used by your developers.
This is important to understand and the reason why we recommend to inform all developer’s in your organization about the situation. We even recommend to ask providing scans using the above parameter and run the report again over the next days and weeks. Some of the 663 tools using nx may use it under the hood, e.g. nx-python  codegen, reactionary, goodiebag, etc., so that it may not be obvious to your developers.

We further recommend to move the scans containing the dev-dependencies in a separate project/module. Assuming you have project A and it has modules A1 and A2, the scans using the dev-dependencies could target project A-DEV using modules A1 and A2. This would allow you to track all dev dependencies but keep them out of the ordinary compliance flows. projects that do not provide a PROJECTNAME-DEV can be identified simply by sorting the project list ascending.

b) Often dev environments are kept open and less secure. The saying “who should consider breaking this and what could he get?” is often heard. But here you see, what the impact may be. Starting from encryption to information and credential disclosure every developer’s work could be impacted directly. Indirectly this may lead to malicious code introduction, compromising the developer’s products, harm the developer’s company’s reputation and its customer’s business.

While this might not have been a likely event five years ago, today it needs to be taken into account as a reality.  You should setup your dev environments accordingly. (internal package proxies, protected and clearly documented builds (SBOMs), strict protection of CI/CD credentials, api-keys and use of key stores, etc. Introduce the right risk management from the beginning: What could go wrong, if our code is malicious / faulty / hacked? How could that happen? What would be the impact on confidentiality/availability or integrity of our customer’s data / operations / business?

If you need support in answering these questions, feel free to reach out. Our mother company is specialized in supporting its customers in answering such questions and developing strategies on how to secure CI/CD and the development results. See here for more information.