Jeff Cross

What you're seeing here isn't pigs desiring mudlessness; they just love getting sprayed by a hose. Pigs like being clean, but don't care about superficial cleanliness. Pigs LOVE mud, they wallow in it and proudly walk around covered in mud the whole day. In fact, they need it to keep them cool and their skin protected in the sun. Pics of my old pig, Cheddar, enjoying mud naps.

Today we officially deprecated 4 packages that facilitated remote caching with Nx and different cloud providers: nx/s3-cache, nx/gcs-cache, nx/azure-cache and nx/shared-fs-cache. This is a proactive move to discourage a known attack vector in recent supply chain attacks: cache poisoning. This isn't related to Nx Cloud's remote caching which has built-in protection against poisoning. These plugins were used by teams who couldn't use Nx Cloud but wanted the speed benefits of distributed task caching. We published a CVE (CREEP CVE-2025-36852) last year against these packages to make it clear that they shouldn't be used for serious projects because of the inherent design flaw. But we still see the plugins used in irresponsible ways. Cyber attacks are ramping up, and are only going to get more effective as the tools the attackers use become more powerful. We're no longer compromising by providing tools that we know most users are using irresponsibly. The notice linked in the next tweet gives more details and recommendations.

GitHub’s report today confirms that the compromised Nx Console extension was used as the initial access vector in this attack. This is a difficult thing to read as the CEO of Nx, and I want to be direct about it: we take responsibility for the role our software played in this incident. I’m grateful to the GitHub, Microsoft, and independent security teams that moved quickly to investigate, contain, and share information publicly. This incident highlights that there need to be deeper, more fundamental changes to how we and other maintainers need to think about securing developer tooling and open source distribution. We are already making major changes to our publishing, automation, and extension security posture, and we’ll continue sharing those changes publicly as we implement them. We’re also beginning conversations with other high-profile open source maintainers about how we can work together on some of the deeper structural problems around software supply chain security. A lot of the assumptions the ecosystem has operated under for years no longer hold. Our focus right now is supporting affected users, hardening Nx, and helping push the broader ecosystem toward stronger supply chain security practices. Updates and guidance: https://t.co/szBoQ3doaX

We published the detailed security advisory on GitHub and posted about it on X and Discord immediately after patching on Monday. I’m actually still waiting for confirmation from GitHub that Nx Console was the unnamed VSC extension in their postmortem, but I assume it is. In hindsight, we should have been more skeptical of the 28 users number we got from MS, which made it seem like more of a contained situation. Our team is all hands on deck right now to help the Nx community check if they’re affected, and make sure they know steps to remediate.