A threat actor tracked as UNC6426 exploited keys stolen during the supply-chain compromise of the nx npm package last year. It fully breached a victim’s cloud environment within 72 hours, according to Google’s Cloud Threat Horizons Report for H1 2026.
“The threat actor, UNC6426, then used this access to abuse the GitHub-to-AWS OpenID Connect (OIDC) trust and create a new administrator role in the cloud environment,” Google said in its Cloud Threat Horizons Report for H1 2026. “They abused this role to exfiltrate files from the client’s Amazon Web Services (AWS) Simple Storage Service (S3) buckets and performed data destruction in their production cloud environment
The attack began with the theft of a developer’s GitHub token and ended with the attacker holding full AWS administrator permissions, exfiltrating files from S3 buckets, and destroying production infrastructure.
The supply-chain attack on the nx npm package took place in August 2025, when unknown attackers exploited a vulnerable pull_request_target workflow, an attack type known as “Pwn Request,” to gain elevated privileges and push trojanized versions of the package to the npm registry.
The compromised packages embedded a postinstall script that launched a JavaScript credential stealer called QUIETVAULT, which harvested environment variables, system information, and valuable tokens including GitHub Personal Access Tokens. Notably, the malware weaponised a large language model tool already installed on the developer’s endpoint to search for credentials, representing what researchers describe as AI-assisted supply chain abuse.
At the victim organisation, an employee running a code editor with the Nx Console plugin triggered an update that executed the malicious payload. Two days later, UNC6426 began reconnaissance within the victim’s GitHub environment using the stolen token. The attackers used an open-source tool called Nord Stream to extract secrets from CI/CD environments, obtaining credentials for a GitHub service account. They then leveraged this account to generate temporary AWS Security Token Service tokens for an overly permissive role called “Actions-CloudFormation.”
From there, the escalation was rapid. The attackers used the compromised role’s permissions to deploy a new AWS Stack whose sole purpose was to create a new IAM role with full administrator access. Google noted that UNC6426 escalated from a stolen token to full AWS administrator permissions in less than 72 hours.
With administrator access secured, the threat actor enumerated and accessed S3 buckets, terminated production EC2 and RDS instances, and decrypted application keys. In a final act of destruction, all of the victim’s internal GitHub repositories were renamed and made public.
Google recommends organisations use package managers that prevent postinstall scripts, apply the principle of least privilege to CI/CD service accounts and OIDC-linked roles, enforce fine-grained personal access tokens with short expiration windows, remove standing privileges for high-risk actions, and monitor for anomalous IAM activity. The incident also highlights the emerging threat of what security firm Socket has described as AI-assisted supply chain abuse, where malicious intent is expressed through natural-language prompts rather than explicit network callbacks, complicating conventional detection. As AI assistants become more deeply integrated into developer workflows, any tool capable of invoking them inherits their reach, expanding the attack surface in ways the security community is only beginning to understand.
