Full Report
A threat actor known as UNC6426 leveraged keys stolen following the supply chain compromise of the nx npm package last year to completely breach a victim's cloud environment within a span of 72 hours. The attack started with the theft of a developer's GitHub token, which the threat actor then used to gain unauthorized access to the cloud and steal data. "The threat actor, UNC6426, then used this
Analysis Summary
# Incident Report: UNC6426 AWS Administrator Compromise via nx npm Supply Chain
## Executive Summary
The threat actor UNC6426 executed a full cloud environment breach of a victim organization within 72 hours by exploiting a prior supply chain compromise of the `nx` npm package. By leveraging stolen GitHub Personal Access Tokens (PATs) and abusing OIDC trust relationships between GitHub and AWS, the attacker escalated privileges to Administrator level. The incident resulted in data exfiltration from S3 buckets, destruction of production EC2 and RDS instances, and the public exposure of private source code.
## Incident Details
- **Discovery Date:** March 2026 (Reported by Google Cloud Threat Horizons)
- **Incident Date:** Approximately August 2025 (Initial supply chain seed) to Early 2026
- **Affected Organization:** Not disclosed (Client of Google Cloud)
- **Sector:** Technology / Software Development
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** August 2025 (Pre-cursor) / Incident Phase: Day 0
- **Vector:** Supply Chain / Malicious npm Package
- **Details:** An employee ran a code editor with the Nx Console plugin. An update triggered the execution of a trojanized `nx` package containing the **QUIETVAULT** credential stealer.
### Lateral Movement
- **Day 2:** UNC6426 performed reconnaissance using the stolen GitHub PAT and the open-source tool "Nord Stream" to extract CI/CD secrets.
- **Day 2-3:** Attackers identified a GitHub service account and used the `--aws-role` utility to generate temporary AWS STS tokens for the `Actions-CloudFormation` role.
### Data Exfiltration/Impact
- **Day 3:** The actor deployed a new AWS Stack to create a custom IAM role with `AdministratorAccess`.
- **Execution:** S3 buckets were enumerated and exfiltrated. Production EC2 and RDS instances were terminated (Data Destruction). All internal GitHub repositories were renamed and set to "Public" visibility.
### Detection & Response
- **How it was discovered:** Analysis by Google Cloud's threat intelligence team during the H1 2026 reporting period.
- **Response actions taken:** Not explicitly detailed in the report, though the report emphasizes remediation of OIDC trust and IAM tightening.
## Attack Methodology
- **Initial Access:** Supply chain compromise (nx npm package) via "Pwn Request" vulnerability in GitHub workflows.
- **Persistence:** Creation of a new IAM Administrator role in the AWS environment.
- **Privilege Escalation:** Abuse of GitHub-to-AWS OIDC trust and overly permissive CloudFormation roles to assign `AdministratorAccess`.
- **Defense Evasion:** Use of legitimate tools like "Nord Stream" and standard AWS CLI/API functions to blend with DevOps traffic.
- **Credential Access:** QUIETVAULT malware used LLM tools locally on the victim machine to find and siphon tokens/env variables.
- **Discovery:** Use of "Nord Stream" for CI/CD secret scanning and AWS API calls for S3/EC2/RDS enumeration.
- **Lateral Movement:** Pivot from developer endpoint -> GitHub CI/CD -> AWS Cloud environment.
- **Collection:** Enumeration of S3 objects and GitHub repositories.
- **Exfiltration:** Siphoning of S3 data; GitHub repositories made public.
- **Impact:** Termination of production database (RDS) and compute (EC2) instances; unauthorized public disclosure of private IP.
## Impact Assessment
- **Financial:** High (Inferred from production downtime and potential data loss).
- **Data Breach:** Exposure of all internal GitHub repositories and S3 bucket contents.
- **Operational:** Severe disruption due to destruction of production EC2 and RDS instances.
- **Reputational:** High risk due to the conversion of private repositories to public.
## Indicators of Compromise
- **Network indicators:** Traffic to/from `s1ngularity-repository-1` on GitHub.
- **File indicators:** QUIETVAULT JavaScript credential stealer (SHA-256: `8eea1f65e468b515020e3e2854805f1ef5c611342fa23c4b31d8ed3374286a90`).
- **Behavioral indicators:** Execution of `postinstall` scripts in npm packages; unusual CloudFormation stack creation; AWS STS token generation from GitHub Actions IP ranges.
## Response Actions
- **Containment:** Removal of compromised IAM roles and revocation of stolen PATs.
- **Eradication:** Auditing GitHub-to-AWS OIDC trust relationships.
- **Recovery:** Restoration of production EC2/RDS instances from backups; reverting GitHub repository visibility to private.
## Lessons Learned
- **Postinstall Vulnerabilities:** Relying on default npm behavior for postinstall scripts is a major security gap.
- **Overly Permissive Roles:** The `Actions-CloudFormation` role had the power to create IAM roles with higher privileges than itself (Lack of IAM permission boundaries).
- **LLM Weaponization:** Threat actors are now using local LLM tools to automate the discovery of sensitive data on compromised endpoints.
## Recommendations
- **Package Management:** Use package managers or flags (e.g., `--ignore-scripts`) to prevent execution of untrusted postinstall scripts.
- **OIDC Hardening:** Use specific "Subject" (sub) claims in AWS OIDC trust policies to ensure only specific repositories—not just any repo in an org—can assume roles.
- **IAM Boundaries:** Implement IAM Permission Boundaries on CI/CD roles to prevent them from creating roles with `AdministratorAccess`.
- **Token Hygiene:** Transition to Fine-Grained Personal Access Tokens (PATs) with minimal scope and short expiration timelines.