https://hackread.com
by
Deeba Ahmed
August 28, 2025

A supply chain attack called “s1ngularity” on Nx versions 20.9.0-21.8.0 stole thousands of macOS developer credentials with the help of AI tools.

Asophisticated cyberattack, dubbed the “s1ngularity” attack, has compromised Nx, a popular build platform widely used by software developers. The attack, which began on August 26, 2025, is a supply chain attack, a type of security breach where hackers sneak malicious code into a widely used piece of software, which then infects all the people who use it.

The attack was designed to steal a wide variety of sensitive data, including GitHub tokens, npm authentication keys, and SSH private keys. These credentials are essentially digital keys that provide access to a user’s accounts and systems.

The malicious software also went a step further, targeting API keys for popular AI tools like Gemini, Claude, and Q, demonstrating a new focus on emerging technologies. In addition to stealing data, the attackers installed a destructive payload that modified users’ terminal startup files, causing their terminal sessions to crash.

GitGuardian’s analysis shared with Hackread.com revealed some surprising details about the attack and its victims. The firm found that 85% of the infected systems were running macOS, highlighting the attack’s particular impact on the developer community, which frequently uses Apple computers.

In a curious turn, GitGuardian found that of the hundreds of systems where AI tools were targeted, many of the AI clients unexpectedly resisted the malicious requests. They either outright refused to run the commands or gave responses suggesting they knew they were being asked to do something wrong, showing a potential, though unintentional, new layer of security.
The stolen credentials were not only valuable but also widespread. GitGuardian’s monitoring platform, which tracks public GitHub activity, discovered 1,346 repositories used by the attackers to store stolen data.

To avoid detection, the attackers double-encoded the stolen data before uploading it. This number is far higher than the ten publicly visible repositories, as GitHub was quickly working to delete the rest. An analysis of these repositories revealed 2,349 distinct secrets, with over 1,000 still valid and working at the time of the report. The most common secrets were for GitHub and popular AI platforms.

For anyone who used the malicious Nx versions 20.9.0 through 21.8.0, the most crucial step is to immediately assume that their credentials have been exposed. GitGuardian has created a free service called HasMySecretLeaked that allows developers to check for compromised credentials without ever revealing their actual keys.

This attack reminds us that simply deleting a compromised file is not enough; the actual secret keys and tokens must be revoked and rotated to prevent further access by the attackers.

hackread.com August 18, 2025 - A seller named Chucky_BF is offering 15.8M PayPal logins with emails, passwords, and URLs. The data may come from infostealer malware logs.

A threat actor using the name Chucky_BF on a cybercrime and hacker forum is advertising what they claim to be a massive PayPal data dump. The post describes a trove labeled “Global PayPal Credential Dump 2025,” allegedly containing more than 15.8 million records of email and plaintext password pairs.

The size of the dataset is said to be 1.1GB, and according to the seller, the leak covers accounts from many email providers and users in different parts of the world. What makes this claim threatening is not just the number of exposed accounts but also the type of data said to be included. Other than the email and password combinations, the seller mentions that many records come with URLs directly linked to PayPal services.

Endpoints like /signin, /signup, /connect, and Android-specific URIs are also referenced in the listing. These details suggest that the dump is structured in a way that could make it easier for criminals to automate logins or abuse services.

The description provided by Chucky_BF describes the dataset as a goldmine for cybercriminals. The threat actor claims the records are “raw email:password:url entries across global domains,” warning that this could lead to credential stuffing, phishing schemes, and fraud operations.

A closer look by Hackread.com at the samples posted in the forum shows Gmail addresses paired with passwords and linked directly to PayPal’s login pages, while another features a user account appearing in both web and mobile formats, showing that the same account details were found in different versions of PayPal’s services, both web and mobile.

The way the data is put together is also important. It seems to include a mix of real accounts and test or fake ones, which is often the case with stolen or old databases. The seller claims most of the passwords look strong and unique, but also admits many are reused. That means people who used the same password on other websites could be at risk well outside PayPal.

As for pricing, Chucky_BF is asking for 750 US dollars for full access to the 1.1GB dump. That figure positions it in line with other credential dumps of similar size sold in cybercrime markets, which often find buyers among groups looking to monetize stolen accounts through fraud or resale.

If the claims are accurate, this would represent one of the larger PayPal-focused leaks of recent years, with millions of users across Gmail, Yahoo, Hotmail, and country-specific domains implicated.
Infostealer Logs as the Likely Source
PayPal has never suffered a direct data breach in which attackers broke into its systems or stole millions of user records. Past incidents, including the one that involved 35,000 users, linked to the company have usually been the result of credential stuffing or data harvested elsewhere.

This makes it possible that the newly advertised dataset is not the product of a PayPal system breach at all, but rather the result of infostealer malware collecting login details from infected devices and bundling them together.

The structure of the dataset shown in the samples shared by the threat actor suggests it may have been collected through infostealer malware logs. Infostealers infect personal devices and steal saved login details, browser data, and website activity, which later appear in bulk on cybercrime markets.

The presence of PayPal login URLs and mobile URIs in this dump makes it possible that the information was gathered from infected users worldwide, then compiled to be sold as a single PayPal-focused leak.

Infostealer malware infecting devices worldwide is hardly surprising. In May, cybersecurity researcher Jeremiah Fowler discovered a misconfigured cloud server containing 184 million login credentials, including unique usernames, email addresses, and passwords, which he believes were likely collected using infostealer malware.

According to Hudson Rock, a cybercrime intelligence company, infostealer malware is easily and cheaply available on the dark web. The company’s research also revealed the scale at which these tools have successfully targeted critical infrastructure, including in the United States.

Researchers found that employees at key US defense entities such as the Pentagon, major contractors like Lockheed Martin and Honeywell, military branches, and federal agencies, including the FBI, have also fallen victim to infostealer malware.

As for PayPal, the company itself has not confirmed any such incident, and it is not yet clear whether the dataset is entirely authentic, a mix of real and fabricated records, or a repackaging of older leaks.

Hackread.com has also not been able to verify whether the data is genuine, and only PayPal can confirm or deny the claims. The company has been contacted for comment, and this article will be updated accordingly.