Malicious versions of Nx and some supporting plugins were published

[BobbyTables2]

ELI5, how was the malicious PR approved and merged?

Are they using AI for automated code review too?

[david_allison]

The workflows were set up to execute with a read/write `GITHUB_TOKEN` for `nx` when a PR was created/edited (no approval necessary).

See the security warnings on `pull_request_target`

https://docs.github.com/en/actions/reference/workflows-and-a...

https://securitylab.github.com/resources/github-actions-prev...

[danr4]

seems like the npm repo got hacked and the compromised version was just uploaded