docs: updated compromise descriptions based on feedback provided

Signed-off-by: Yannis Folias <[email protected]>

Author: yfolias

community/catalog/compromises/2025/changed-files.md

@@ -27,8 +27,8 @@ pipelines.
 
 ## Type of Compromise
 
-This is an _Attack Chaining_ type of attack as the attacker combined multiple
-weak links in the software delivery process.
+This is a _Publishing Infrastructure_ type of attack as the attacker targeted a
+GitHub action which is part of the CI/CD and build automation layer.
 
 ## References
 

community/catalog/compromises/2025/ghost-action.md

@@ -21,10 +21,13 @@ open-source distribution chain.
 
 ## Type of Compromise
 
-This compromise falls under _Publishing Infrastructure_ category as the
-attackers were able to compromise the underlying automation layer used to build
-and publish software.
+This compromise falls under the _Malicious Maintainer_ category, as the attackers
+gained access to legitimate GitHub maintainer accounts and leveraged their
+privileges to inject malicious workflow code.
 
 ## References
 
-- [The GhostAction Campaign: 3,325 Secrets Stolen Through Compromised GitHub Workflows](https://blog.gitguardian.com/ghostaction-campaign-3-325-secrets-stolen/)
+- [The GhostAction Campaign: 3,325 Secrets Stolen Through Compromised GitHub Workflows](https://blog.gitguardian.com/ghostaction-campaign-3-325-secrets-stolen)
+- [What We Know About the NPM Supply Chain Attack](https://www.trendmicro.com/en_us/research/25/i/npm-supply-chain-attack.html)
+- ["Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack (Updated September 23)](https://unit42.paloaltonetworks.com/npm-supply-chain-attack)
+- ["Massive npm infection: the Shai-Hulud worm and patient zero"](https://securelist.com/shai-hulud-worm-infects-500-npm-packages-in-a-supply-chain-attack/117547)

community/catalog/compromises/2025/npm-ecosystem.md

@@ -1,8 +1,8 @@
 <!-- cSpell:ignore Shai Hulud Shai hulud -->
 
-# Widespread npm Ecosystem Supply Chain Attack
+# Widespread npm Ecosystem Compromise
 
-The Widespread npm Supply Chain Attack, which began around September 8, 2025,
+The Widespread npm Ecosystem Compromise, which began around September 8, 2025,
 was a multi-phased incident. The initial phase involved a phishing campaign that
 compromised maintainer accounts, leading to the injection of a
 cryptocurrency-stealing payload into dozens of popular packages (like chalk and
@@ -12,13 +12,11 @@ compromise over 500 npm packages.
 
 ## Impact
 
-This compromise affected hundreds of packages and potentially thousands of
-downstream applications that automatically pulled the malicious versions. The
-injected payloads allowed for credential theft, unauthorized command execution,
-and persistent access in CI/CD environments. The incident exposed the fragility
-of transitive dependency trust and underscored the urgency of enforcing 2FA for
-maintainers, signed package publishing, and dependency integrity verification
-across the npm ecosystem.
+The compromise resulted in a widespread infection across the npm ecosystem,
+affecting hundreds of packages and potentially thousands of downstream
+applications that automatically pulled malicious versions. The injected payloads
+enabled credential theft, unauthorized command execution, and persistent access
+within both developer and CI/CD environments.
 
 ## Type of Compromise
 

community/catalog/compromises/2025/nx-platform.md

@@ -25,11 +25,14 @@ thousands of interconnected development environments.
 
 ## Type of Compromise
 
-This is an _Attack Chaining_ type of attack as it required multiple levels of
-compromise.
+This is an _Attack Chaining_ type of compromise with elements of _Dev Tooling_
+and _Malicious Maintainer_, as the attackers initially leveraged compromised CI
+workflows, published infected Nx packages, and chained the attack to expose
+thousands of private repositories across the ecosystem.
 
 ## References
 
 - [Serious NX build compromise - what you need to know about the s1ngularity attack](https://www.kaspersky.com/blog/nx-build-s1ngularity-supply-chain-attack/54223)
 - [The Nx "s1ngularity" Attack: Inside the Credential Leak](https://blog.gitguardian.com/the-nx-s1ngularity-attack-inside-the-credential-leak/)
 - [s1ngularity Nx Supply Chain Attack: AI-Driven Credential Theft & Mass Exposure](https://hivepro.com/threat-advisory/s1ngularity-nx-supply-chain-attack-ai-driven-credential-theft-mass-exposure/)
+- [s1ngularity: Popular Nx Build System Package Compromised with Data-Stealing Malware](https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware)

community/catalog/compromises/README.md

@@ -30,7 +30,7 @@ of compromise needs added, please include that as well.
 | Name              | Year               | Type of compromise    | Link        |
 | ----------------- | ------------------ | ------------------    | ----------- |
 | [Oracle Cloud SSO and Identity Infrastructure Compromise](2025/oracle-cloud.md) | 2025 | Publishing Infrastructure | [1](https://www.cloudsek.com/blog/the-biggest-supply-chain-hack-of-2025-6m-records-for-sale-exfiltrated-from-oracle-cloud-affecting-over-140k-tenants) |
-| [Widespread npm Ecosystem Supply Chain Attack](2025/npm-ecosystem.md) | 2025 |  Malicious Maintainer | [1](https://www.paloaltonetworks.com/blog/cloud-security/npm-supply-chain-attack/) |
+| [Widespread npm Ecosystem Compromise](2025/npm-ecosystem.md) | 2025 |  Malicious Maintainer | [1](https://www.paloaltonetworks.com/blog/cloud-security/npm-supply-chain-attack/) |
 | [Red Hat Consulting GitLab Instance Breach](2025/rh-gitlab-instance.md) | 2025 | Publishing Infrastructure | [1](https://www.redhat.com/en/blog/security-update-incident-related-red-hat-consulting-gitlab-instance) |
 | [The Nx s1ngularity Attack Leading to Credentials Leak](2025/nx-platform.md) | 2025 | Attack Chaining | [1](https://www.kaspersky.com/blog/nx-build-s1ngularity-supply-chain-attack/54223/) |
 | [The GhostAction Github Workflow Injection](2025/ghost-action.md) | 2025 | Publishing Infrastructure | [1](https://blog.gitguardian.com/ghostaction-campaign-3-325-secrets-stolen/) |