AI-Driven Supply Chain Attack On Nx Dubbed s1ngularity

Since the public disclosure of the "s1ngularity" incident on August 26, 2025, the Wiz Research team has investigated the attack and developed a mitigation response for affected organizations. These approximately 2180 organizations had GitHub accounts compromised. With the immediate threat now subsiding, they present a detailed assessment of the incident's impact, the artificial-intelligence elements, and actionable techniques for threat hunters to leverage during investigations.

Wiz researchers describe the initial intrusion as a compromise of an NPM publishing token for various nx packages through a misconfigured GitHub Action. Attackers exploited this token to publish malicious versions of widely used packages. These malicious payloads harvested sensitive environment variables, such as GitHub and NPM tokens, and then exfiltrated them into publicly accessible GitHub repositories named s1ngularity-repository.

Notably, the malware employed locally configured AI command-line tools to automatically discover and extract additional files. Although GitHub disabled these repositories relatively quickly, attackers had ample time to collect sensitive data.

In a second wave, attackers used the leaked GitHub tokens to convert private repositories into public ones. These repositories often contained further corporate secrets, and they renamed them in a pattern resembling s1ngularity-repository-XXXX.

The final phase of the attack targeted a single organization through two compromised accounts. It involved the generation of repositories titled simply S1ngularity. The specific contents of these repositories remain under analysis, but underscore the targeted and persistent nature of the operation.

The "s1ngularity" incident sits atop a disturbing trend of GitHub Actions, related supply chain compromises. While earlier breaches like Ultralytics and tj-actions attracted attention, they ultimately caused less damage. Ultralytics deployed crypto miners rather than exfiltrating data, and tj-actions suffered detection early, avoiding widespread impact. By contrast, s1ngularity succeeded where those attempts only threatened.

In its first phase alone, the attack exposed secrets from over 1,700 users. Each affected user's leak included at least a GitHub token. Wiz researchers gathered over one thousand such cases, illuminating the depth of the breach. Other sources corroborate this finding, estimating over 2,000 unique, verified secrets leaked during the attack.

Organizations that appear unaffected may still be at risk. Some users may have executed the infected packages without triggering the exfiltration process. Files containing secrets may exist locally, even offline, and could emerge later in follow-on operations.
This attack underlines a shift in adversary behavior. Attackers increasingly observe and exploit minor GitHub Action misconfigurations, weaponizing small weaknesses into large-scale supply chain operations. The progression from near misses to full-scale breaches signals an urgent need for vigilance.

What Does It Mean for Malware to Be AI-Powered?

The s1ngularity campaign represents a new frontier: automated intelligence embedded within malware. Attackers configured AI-driven CLIs to autonomously detect additional files on compromised systems, such as code repositories or configuration stores, and include them in their exfiltration scope. This marks a departure from traditional malware, which often relies on predefined exfiltration paths. AI-powered malware adapts dynamically to environments and harvests targeted assets without explicit instructions.

This approach elevates the attack's effectiveness and stealth. It enables broader and more opportunistic extraction while reducing manual adversary effort. Security teams must anticipate and defend against malware that uses local intelligence to self-expand.

Wiz Research highlights several novel Tactics, Techniques, and Procedures (TTPs) that researchers and defenders should prioritize:

• AI-assisted reconnaissance: The malware deployed local AI CLIs to identify files for exfiltration. Security teams should monitor unusual invocation patterns of AI tools, particularly when combined with second-stage exfiltration commands.
• Abuse of publishing tokens: Attackers leveraged NPM publishing tokens obtained from GitHub Actions for package tampering. Teams should audit token permissions regularly and impose strict least-privilege rules.
• Automated exfiltration to public repos: The attack redirected stolen secrets into public GitHub repositories named s1ngularity-repository. Monitoring for unexpected repository creation or unauthorized use of deploy tokens can help identify in-progress or post-attack activity.
• Token misuse to expose private repos: In phase two, attackers publicly exposed private repositories using the leaked GitHub tokens. Security teams should be alerted to sudden privacy changes or renaming events on GitHub, especially when automated.
• Multi-phase targeting strategy: The attackers deployed multiple waves, including initial data exfiltration and private repo exposure, and then tailored the attack to a specific organization. Incident response should treat each phase as potentially part of a broader campaign and prepare for persistent targeting even after initial containment.

Investigators should search GitHub audit logs for suspicious AI tool commands, deploy or publishing token usage, repository creation or privacy changes, and any spikes in repository cloning or downloads. Correlating these patterns can help reconstruct attacker behavior and identify additional compromised assets.

Security teams can deploy multiple proactive controls to mitigate similar supply chain threats in the future:

• Strict token governance: Apply the least privilege principle to publishing and deploying tokens. Rotate tokens frequently and restrict their scope to necessary operations only.
• Secure CI/CD workflows: Harden GitHub Actions and other CI infrastructure. Ensure actions use minimal permissions, pin dependencies to trusted versions, and monitor actions for misconfiguration.
• AI tool usage monitoring: Treat AI CLIs as potentially sensitive utilities. Track when and how such tools are invoked, especially in environments handling secrets.
• Repo monitoring and alerting: Configure alerts for repository creation, privacy changes, or unusual naming conventions. Alert on public posting of previously private content or anomalous repository behavior.

Incident playbooks for multi-stage attacks: Establish plans that assume attackers may return with new TTPs. Conduct thorough investigations even after apparent containment, and initiate rapid credential rotation upon detection.

Wiz Research's post-incident analysis of s1ngularity illustrates how adversaries increasingly rely on supply chain misconfigurations, rapid automation, and AI tools to amplify their impact. The attack exfiltrated thousands of secrets from hundreds of organizations, leveraged AI for reconnaissance, and executed a multi-phase strategy that outpaced traditional detection mechanisms.

This incident serves as a crucial warning for cybersecurity professionals: trust assumptions in CI/CD, especially around GitHub Actions and credential management, can collapse fast. Combining that with AI-driven tools across dev environments opens unexpected vectors for exfiltration. Proactive monitoring, rigorous token governance, AI usage awareness, and robust incident response playbooks represent essential lines of defense.

Wiz's detailed investigation empowers defenders to detect and mitigate similar threats more effectively. Organizations should assess their current exposure and adapt their security programs to anticipate this evolving threat paradigm. The aftermath of s1ngularity calls for heightened vigilance, rapid adaptation, and a commitment to securing modern software development's increasingly intelligent supply chains.