{}

{}

{}

{"bugzilla": {"description": "nx: nx/devkit: Malicious versions of nx and plugins published to npm", "id": "2396282", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396282"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-506", "details": ["Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts."], "name": "CVE-2025-10894", "package_state": [{"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Not affected", "package_name": "multicluster-globalhub/multicluster-globalhub-grafana-rhel9", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "openshift-serverless-1/kn-backstage-plugins-eventmesh-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/acm-grafana-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "automation-gateway", "product_name": "Red Hat Ansible Automation Platform 2"}], "public_date": "2025-09-23T16:51:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-10894\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-10894\nhttps://access.redhat.com/security/supply-chain-attacks-NPM-packages\nhttps://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware\nhttps://www.wiz.io/blog/s1ngularity-supply-chain-attack"], "statement": "No Red Hat products are affected. The malicious versions were blocked from being introduced into any internal Red Hat code repositories. The impact is rated Important due to the potential for information leakage, including sensitive account credentials. This attack relied upon AI command-line (CLI) tools which are designed to be used by software developers. For customers using Red Hat systems in production, the presence of such development tools is not expected, further limiting risk.", "threat_severity": "Important"}

{}