Executive Summary

On August 28, 2025, a global supply chain attack—dubbed the “s1ngularity incident”—targeted widely used open-source developer packages. While the malware attempted to steal authentication tokens and credentials, Stax.ai systems remain uncompromised.

• No unauthorized data access detected.

• Temporary sync interruptions occurred during precautionary credential rotations.

• Our team executed a rapid, coordinated response to secure systems and protect clients.

This blog explains what happened, why it matters for TPAs, and how we responded.

What Happened

Alerts surfaced about malicious code hidden in several popular open-source packages (collectively downloaded 4.6M+ times weekly). Once installed, the malware attempted to steal credentials and push them into attacker-controlled GitHub repositories.

Because these packages sit deep in the global software supply chain, thousands of organizations were at risk within hours. Upon identification, NX immediately published a vulnerability notification, officially known as GHSA-cxm3-wv7p-598c. Github also began deleting any repositories that it found with credentials that were stolen from developer’s machines.

At Stax.ai, we immediately launched our incident response process: reviewing exposure, rotating credentials, and isolating any possible risk.

What Is a Supply Chain Attack?

A supply chain attack occurs when attackers compromise the tools and dependencies that software relies on - rather than the software itself.

Think of it like this: if a grocery store receives tainted produce, every shopper who buys it is affected. The store wasn’t hacked, but the supplier was.

In technology, this means:

• Malicious code is hidden in trusted tools or packages.

• That code spreads downstream into thousands of organizations.

• Malware can then steal data, capture credentials, or open backdoors.

Even companies with strong defenses are vulnerable because the weakness lies upstream - in a tool everyone trusts.

Our Immediate Response

Out of caution, we carried out a comprehensive lockdown and remediation:

• 🔑 Rotated all security keys across our infrastructure.

• 📑 Paused and rotated payroll sync credentials to protect customer integrations.

• 📧 Forced reconnections of email sync services, invalidating exposed tokens.

• 👥 Alerted internal staff, vendors, and contractors to adopt new security hygiene.

• 🤝 Proactively informed clients and provided hands-on support.

We were notified of this at 10:43 PM EST, upon which our engineers returned to the office and worked late into the night. This wasn’t a “patch and move on” fix - it was a team-wide mobilization to protect our clients.

Who Was Affected

Based on our investigation so far:

• Stax.ai systems were not compromised.

• Some clients experienced temporary payroll and email sync interruptions during credential resets.

• No evidence of unauthorized data access has been found.

We continue 24/7 proactive monitoring.

Why This Matters for TPAs

This incident reinforces a hard truth: cybersecurity risks don’t discriminate. Whether you’re a Fortune 500 company or a small TPA, if you rely on software, you are exposed to the open-source supply chain.

For TPAs, the stakes are unique:

• Focus vs. Risk
  TPAs excel in retirement plan consulting and compliance—not engineering. Building and maintaining custom systems introduces risk beyond your core business.

• The Hidden Cost of DIY
  Every custom-built system comes with hidden liabilities: patching, monitoring, rotating credentials, responding to zero-days at 2 a.m. When something breaks—or leaks—the cost multiplies.

• Velocity of Attacks
  Supply chain exploits spread in hours, not days. By the time small IT teams even notice, attackers may have already stolen sensitive data.

The takeaway: TPAs should not carry this engineering burden.

Moving Forward

Our commitment is clear:

• Resilience: We continue to harden infrastructure, improve monitoring, and accelerate response.

• Transparency: When incidents occur, we will always share what we know, what we’ve done, and what comes next.

This is why Stax.ai exists: so TPAs can focus on people and plans while we handle the security and systems.

Security Suggestions for TPAs

Even with Stax.ai carrying the engineering load, TPAs still play a role in protecting themselves. Here are practical steps you can take today:

Credential Hygiene

• Rotate admin credentials regularly.

• Use password managers with strong policies.

• Enable multi-factor authentication (MFA).

Vendor & Contractor Controls

• Require secure authentication for vendors.

• Audit vendor access quarterly.

Awareness & Training

• Train staff to recognize phishing and social engineering.

• Provide clear escalation paths for reporting incidents.

System Boundaries

• Avoid building custom platforms unless essential.

• Rely on specialized vendors with 24/7 monitoring.

Incident Preparedness

• Maintain a simple playbook (who to call, what to check).

• Regularly review backups and recovery processes.

Final Note

The “s1ngularity” incident is a reminder that cybersecurity is never finished. It demands constant vigilance, expertise, and fast action.

When threats strike, you want a partner who:

• Rallies engineers into the office at night.

• Works until every system is secured.

• Communicates openly with honesty.

That’s what we did this week—and what we’ll continue to do for you.

👉 Let TPAs focus on consulting and guiding retirement plans.

👉 Let Stax.ai focus on engineering, security, and resilience.

If you have questions or would like to speak with our security team, contact us at security@stax.ai