
nrwl/Nx
Open-source monorepo build-tooling project (Nx) maintained by Nrwl; the official repository was used to stage the hidden payload in the GitHub breach.
Last refreshed: 29 May 2026 · Appears in 1 active topic
How was a trusted open-source repository used to deliver malware through VS Code?
Timeline for nrwl/Nx
GitHub's own code cloned via add-on
Cybersecurity: Threats and DefencesWhat is Nx and who makes it?
How was the nrwl/nx repository used in the May 2026 GitHub breach?
What is Nx Cloud?
Background
Nrwl and its Nx repository were exploited in the May 2026 supply-chain attack when attackers planted a malicious commit on the official nrwl/Nx GitHub repository. The trojanised Nx Console extension (v18.95.0) pulled from this compromised commit on startup, using the legitimate repository as a staging point for credential-theft code. The attack combined a publisher-verification gap in the Visual Studio Marketplace with abuse of a trusted open-source repository's CI/CD pipeline.
Nrwl (short for Narwhal) is a US software consultancy and open-source tooling company founded by Jeff Cross and Victor Savkin, both former Angular team members at Google. The company develops Nx, an open-source monorepo build system and development workspace tool, widely adopted by enterprise JavaScript and TypeScript teams. Nx supports code generation, task caching, and dependency graph visualisation for large mono-repository codebases. The Nx Console extension — a VS Code UI for the Nx CLI — was the attack vector's delivery mechanism. Nrwl also offers commercial Nx Cloud services for distributed build caching and CI optimisation.
The nrwl/Nx compromise illustrates that attacker interest in trusted open-source repositories extends beyond npm packages to the editor-tooling ecosystem. Organisations using Nx are typically large engineering teams with broad internal-repository access, making a compromised Nx Console extension a high-value lateral-movement vehicle. The incident prompted broader scrutiny of open-source monorepo tooling's security posture and commit-signing practices.