In August 2025, malicious versions of several Nx packages were published to npm due to a GitHub Actions injection vulnerability that allowed attackers to steal an NPM publishing token. This token was used to publish harmful packages for four hours, which scanned user systems for sensitive data and uploaded it to public GitHub repositories. The Nx team responded by removing the affected packages, revoking the compromised token, and implementing stricter security measures including the use of NPM Trusted Publishers and manual approval processes for releases. The incident did not affect Nx Cloud and was isolated to Nx's open-source packages. The company has since enhanced its security protocols by disabling workflows for external contributors and adopting OIDC authentication for package publishing. They also emphasized the importance of securing sensitive data locally and using secure credential management. Through transparency about the breach, Nx aims to raise awareness of potential vulnerabilities in GitHub workflows and the necessity of rigorous security practices.