Threat actor UNC6426 leveraged stolen GitHub tokens from the nx npm package supply-chain compromise to escalate from initial access to full AWS administrator privileges within 72 hours, demonstrating how AI-assisted attacks can rapidly compromise cloud environments.
A sophisticated threat actor known as UNC6426 has demonstrated how quickly a supply-chain attack can escalate into a full cloud environment compromise, gaining complete AWS administrator access within just 72 hours of initial compromise.
The nx npm Supply-Chain Attack
The attack chain began with a supply-chain compromise of the popular nx npm package in August 2025. Unknown threat actors exploited a vulnerable pull_request_target workflow - an attack method referred to as "Pwn Request" - to obtain elevated privileges and access sensitive data including GitHub tokens.
The attackers pushed trojanized versions of the nx package to the npm registry. These malicious packages contained a postinstall script that launched a JavaScript credential stealer called QUIETVAULT. This tool was designed to siphon environment variables, system information, and valuable tokens including GitHub Personal Access Tokens (PATs).
What made this attack particularly sophisticated was its use of AI-assisted techniques. The attackers weaponized a Large Language Model (LLM) tool already installed on the endpoint to scan the system for sensitive information. The malicious intent was expressed through natural-language prompts rather than explicit network callbacks, making conventional detection approaches more difficult.
The captured data was uploaded to a public GitHub repository named /s1ngularity-repository-1.
Initial Compromise and Reconnaissance
Google's Cloud Threat Horizons Report for H1 2026 revealed that an employee at the victim organization ran a code editor application using the Nx Console plugin. This triggered an update that executed the QUIETVAULT malware.
Two days after the initial compromise, UNC6426 initiated reconnaissance activities within the client's GitHub environment using the stolen PAT. The attackers employed a legitimate open-source tool called Nord Stream to extract secrets from CI/CD environments, which led to the discovery of credentials for a GitHub service account.
AWS Environment Breach
With the GitHub service account credentials in hand, the attackers used the utility's --aws-role parameter to generate temporary AWS Security Token Service (STS) tokens for the Actions-CloudFormation role. This provided the initial foothold in the victim's AWS environment.
However, the compromised Github-Actions-CloudFormation role was overly permissive. UNC6426 exploited this excessive privilege to deploy a new AWS CloudFormation stack with capabilities CAPABILITY_NAMED_IAM and CAPABILITY_IAM. The sole purpose of this stack was to create a new IAM role and attach the arn:aws:iam::aws:policy/AdministratorAccess policy to it.
In less than 72 hours, the threat actor successfully escalated from a stolen token to full AWS administrator permissions.
Post-Compromise Activities
Armed with administrator roles, UNC6426 carried out a series of destructive actions:
- Enumerated and accessed objects within S3 buckets
- Terminated production Elastic Compute Cloud (EC2) and Relational Database Service (RDS) instances
- Decrypted application keys
- Renamed all of the victim's internal GitHub repositories to
/s1ngularity-repository-[randomcharacters]and made them public
The attack demonstrates how quickly cloud environments can be compromised when multiple security controls fail simultaneously.
Security Recommendations
To defend against similar attacks, security experts recommend several measures:
Package Management Controls: Use package managers that prevent postinstall scripts or implement sandboxing tools to isolate package execution.
Principle of Least Privilege: Apply PoLP to CI/CD service accounts and OIDC-linked roles, ensuring they have only the minimum permissions necessary.
Fine-Grained PATs: Enforce Personal Access Tokens with short expiration windows and specific repository permissions rather than broad access.
Remove Standing Privileges: Eliminate standing privileges for high-risk actions like creating administrator roles, requiring just-in-time elevation instead.
Monitor IAM Activity: Implement monitoring for anomalous IAM activity, particularly role creation and privilege escalation events.
Shadow AI Controls: Establish strong controls to detect Shadow AI risks, as AI assistants integrated into developer workflows expand the attack surface.
The AI-Assisted Threat Landscape
This incident highlights a concerning trend in supply-chain attacks where execution is offloaded to AI agents that already have privileged access to developer file systems, credentials, and authenticated tooling. As Socket, a software supply chain security firm, noted: "The malicious intent is expressed in natural-language prompts rather than explicit network callbacks or hard-coded endpoints, complicating conventional detection approaches."
As AI assistants become more integrated into developer workflows, they expand the attack surface. Any tool capable of invoking them inherits their reach, creating new challenges for security teams tasked with protecting development environments and cloud infrastructure.
The UNC6426 attack serves as a stark reminder that modern supply-chain compromises can rapidly escalate into full cloud environment takeovers, especially when AI-assisted techniques are combined with overly permissive cloud configurations.
Comments
Please log in or register to join the discussion