UNC6426 Exploits nx npm Supply-Chain Attack to Gain AWS Admin Access in 72 Hours

A threat actor tracked as UNC6426 used developer credentials stolen after the nx npm supply-chain compromise to take full control of a victim’s AWS environment in under 72 hours, Google said in its Cloud Threat Horizons Report for H1 2026.

How the compromise started

Google said the chain of events began with a supply-chain attack on the nx npm package in August 2025. Attackers abused a vulnerable pull_request_target workflow, an attack type known as Pwn Request, to obtain elevated privileges and capture a GITHUB_TOKEN. That token and other harvested secrets then became the pivot point into the victim’s cloud and development tooling.

The trojanized nx packages contained a postinstall script that launched a JavaScript credential stealer Google identified as QUIETVAULT. According to Google, QUIETVAULT used a local large language model already present on the developer’s endpoint to search for environment variables, system information, and valuable tokens such as GitHub Personal Access Tokens. Stolen data was uploaded to a public GitHub repository named “/s1ngularity-repository-1,” Google said.

From stolen token to AWS administrator

Two days after the initial compromise, Google said UNC6426 used a stolen personal access token to probe the victim’s GitHub environment and run a legitimate open-source tool called Nord Stream to extract secrets from CI/CD. Those activities exposed credentials for a GitHub service account.

Google explained the attackers then leveraged that service account and Nord Stream’s “–aws-role” feature to mint temporary AWS Security Token Service credentials for an “Actions-CloudFormation” role. “The compromised Github-Actions-CloudFormation role was overly permissive,” Google said. UNC6426 used those permissions to deploy an AWS CloudFormation stack with IAM capabilities and create a new role that had the AdministratorAccess policy attached. “UNC6426 successfully escalated from a stolen token to full AWS administrator permissions in less than 72 hours,” Google said.

With administrator rights, the actor enumerated and copied S3 objects, terminated production EC2 and RDS instances, decrypted application keys, and made the victim’s internal GitHub repositories public by renaming them to patterns such as “/s1ngularity-repository-[randomchars],” Google said.

AI and supply-chain abuse

Security firm Socket highlighted an AI-assisted angle to the campaign. Socket said the attackers used AI tooling on compromised endpoints to express malicious intent as natural-language prompts rather than hardcoded network callbacks. “The malicious intent is expressed in natural-language prompts rather than explicit network callbacks or hardcoded endpoints, complicating conventional detection approaches,” Socket said. Socket warned that as AI assistants become integrated into developer workflows, they expand the attack surface for supply-chain abuse.

What defenders should do

Google recommended several mitigations: use package managers or sandboxing that block or restrict postinstall scripts, apply least privilege to CI/CD service accounts and OIDC-linked roles, enforce fine-grained personal access tokens with short expirations, and remove standing privileges that allow creation of administrator roles. Google also urged monitoring for anomalous IAM activity and implementing controls to detect AI-assisted credential harvesting.

The incident underscores how a single compromised package and a few exposed credentials can cascade into a full cloud takeover. Security teams should assume their developer endpoints and automation tools can be targeted and design defenses accordingly, Google and Socket advised.

#supplychain #cloudsecurity #AWS #npm #devsecops