Threat actors published modified versions of the Nx package and some of its supporting libraries to the npm registry with the goal of exfiltrating developer and service credentials. to check if your local or other CI environments are impacted.Builds on Vercel are safe from this vulnerability by default.Visit the GitHub advisory A malicious version of the Nx package and some Nx ecosystem libraries were published to the npm registry using a stolen npm token, starting at 6:32 PM EDT on August 26, 2025. The compromised packages were removed from the npm registry by the Nx team, ending at 10:44 PM EDT on the same day.

The affected packages contained a script that scanned the user's file system using an LLM to exfiltrate secrets and credentials when installing an affected package. Exfiltrated secrets were posted as an encoded string into a GitHub repo that the script would create in the victim's GitHub account. For more information, .postinstallvisit the advisory on GitHub from the Nx team By default, Vercel customers are not impacted, and can only be affected by the compromised Nx packages if they took specific steps leveraging the build container's flexibility. Four conditions are…