rules: - id: ssc-mal-resp-2025-08-nx-build-compromised message: These specific Nx packages/versions contain malicious code. Remove or change version immediately. severity: ERROR metadata: confidence: HIGH category: security cve: '' cwe: - 'CWE-506: Embedded Malicious Code' ghsa: GHSA-cxm3-wv7p-598c publish-date: '2025-08-27T00:00:00Z' references: - https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c - https://github.com/nrwl/nx/issues/32522 - https://github.com/nrwl/nx/issues/32523 - https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware license: MIT License sca-fix-versions: [] sca-kind: malicious sca-schema: 20230302 sca-severity: CRITICAL sca-vuln-database-identifier: GHSA-cxm3-wv7p-598c technology: - js - ts source: https://semgrep.dev/s/d6GNE shortlink: https://semgrep.dev/s/d6GNE semgrep.dev: rule: r_id: 209634 rv_id: 1140897 rule_id: oqUk5lJ version_id: 5PTereB url: https://semgrep.dev/playground/r/5PTereB/semgrep.ssc-mal-resp-2025-08-nx-build-compromised origin: custom r2c-internal-project-depends-on: depends-on-either: - namespace: npm package: nx version: ==21.5.0 - namespace: npm package: nx version: ==20.9.0 - namespace: npm package: nx version: ==20.10.0 - namespace: npm package: nx version: ==21.6.0 - namespace: npm package: nx version: ==20.11.0 - namespace: npm package: nx version: ==21.7.0 - namespace: npm package: nx version: ==21.8.0 - namespace: npm package: nx version: ==20.12.0 - namespace: npm package: '@nx/workspace' version: ==21.5.0 - namespace: npm package: '@nx/workspace' version: ==20.9.0 - namespace: npm package: '@nx/js' version: ==21.5.0 - namespace: npm package: '@nx/js' version: ==20.9.0 - namespace: npm package: '@nx/key' version: ==3.2.0 - namespace: npm package: '@nx/node' version: ==21.5.0 - namespace: npm package: '@nx/node' version: ==20.9.0 - namespace: npm package: '@nx/enterprise-cloud' version: ==3.2.0 - namespace: npm package: '@nx/eslint' version: ==21.5.0 languages: - js - ts