Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors

s1ngularity

Also known ass1ngularity

s1ngularity is the name used for a multi-phase August 2025 npm supply-chain intrusion centered on the Nx open-source build system and monorepo management tool. Malicious Nx packages were published to npm after a maintainer token was compromised. The campaign targeted the software supply chain and developer environments, and reporting cited compromise of more than 2,000 GitHub accounts and 7,200 repositories across three phases between August 26 and August 31, 2025. The first phase involved malicious Nx packages that exposed more than 2,000 secrets and 20,000 files; the second phase used leaked GitHub tokens to impact 480 accounts and expose 6,700 private repositories; and a final phase on August 31 targeted a single organization and exposed 500 additional private repositories. The malware executed during package installation, stole developer credentials, and exfiltrated data by creating public GitHub repositories named with the s1ngularity label, including s1ngularity-repository. Reported exposed material included GitHub tokens, SSH keys, configuration files, and npm tokens. The payload also exploited locally installed AI platform CLI tools for reconnaissance and data discovery, and researchers noted that prompt modifications across phases affected the malware’s success. Wiz assessed later Shai-Hulud activity as directly downstream of the late-August 2025 s1ngularity/Nx compromise, with initial GitHub token theft enabling npm token theft and broader package poisoning. Aliases directly mentioned in the content are s1ngularity and Nx (s1ngularity). No high-confidence nation-state attribution is provided in the supplied content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

9 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

8 of 15 tactics15 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
2 techniques
T1078×2
Valid Accounts
T1195×4
Supply Chain Compromise
T1195.001×2
Compromise Software Dependencies and Development Tools
TA0002
Execution
2 techniques
T1059
Command and Scripting Interpreter
T1574
Hijack Execution Flow
T1574.007
Path Interception by PATH Environment Variable
TA0003
Persistence
1 technique
T1078×2
Valid Accounts
TA0004
Privilege Escalation
1 technique
T1078×2
Valid Accounts
TA0005
Stealth
2 techniques
T1078×2
Valid Accounts
T1574
Hijack Execution Flow
T1574.007
Path Interception by PATH Environment Variable
TA0006
Credential Access
2 techniques
T1528
Steal Application Access Token
T1555×2
Credentials from Password Stores
TA0010
Exfiltration
1 technique
T1041
Exfiltration Over C2 Channel
TA0040
Impact
1 technique
T1485
Data Destruction
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
bleeping computerNews
Mar 9, 2026
Google: Cloud attacks exploit flaws more than weak credentials

Supply-chain actor behind compromised npm packages used to steal tokens and keys, abuse GitHub-to-AWS OIDC trust, compromise CI/CD pipelines, exfiltrate data, and destroy production and cloud data.

Read more
step security blogNews
Jan 6, 2026
2025 in Review: The Evolution of Supply Chain Security & What's Next

Compromised the Nx build system by publishing malicious npm packages, stealing developer credentials, exfiltrating data, and leveraging AI CLI tools for enhanced reconnaissance.

Read more
wiz blogNews
Sep 16, 2025
Shai-Hulud npm Supply Chain Attack | Wiz Blog

A named activity cluster associated with an earlier supply-chain compromise that stole GitHub tokens, enabling subsequent npm token theft, repository exposure, and the downstream Shai-Hulud mass package poisoning campaign.

Read more
scworldNews
Sep 8, 2025
Massive toll of Nx npm supply chain attack examined

Conducted a multi-phase npm supply chain intrusion targeting Nx, uploading malicious packages to npm, exposing secrets and files, leaking GitHub tokens, compromising GitHub accounts and private repositories, and using a credential-stealing payload that exploited AI platform command-line tools.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping9

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.