fix(nx-dev): small adjustment to the blog post

vsavkin · FrozenPandaz · commit 550c7e37da6b · 2025-07-02T14:37:53.000-04:00
(cherry picked from commit bd898d3)
diff --git a/docs/blog/2025-06-12-cve-2025-36852-critical-cache-poisoning-vulnerability-creep.md b/docs/blog/2025-06-12-cve-2025-36852-critical-cache-poisoning-vulnerability-creep.md
@@ -18,6 +18,10 @@ The CREEP vulnerability allows any contributor with pull request privileges to i
 - Nx Cloud is **NOT** affected due to its security architecture
 - Review this post to determine if your self-hosted cache solution is vulnerable
 
+{% callout type="warn" title="DIY implementations are vulnerable" %}
+DIY remote caches are likely vulnerable. Scanners won't catch all affected implementations, so understanding the vulnerability is crucial.
+{% /callout %}
+
 ## **Understanding the Vulnerability**
 
 A typical remote-cache flow using storage services follows these steps:
@@ -93,5 +97,6 @@ CVE-2025-36852 represents a serious threat to organizations using vulnerable cac
 
 - If your organization uses bucket-based remote caching: immediate action is required
 - If your organization uses other self-hosted remote cache solutions: immediate review required (most self-hosted caching solutions across many build systems—not just JavaScript, but also Java—are affected)
+- If your organization uses custom tasks runners to implement remote caching: immediate review required
 - If using Nx without remote caching: no action is required
 - If using Nx with Nx Cloud: [Review your settings](/ci/concepts/cache-security#use-scoped-tokens-in-ci). If you are using default settings, no actions should be required.
