UNC6426: From Supply-Chain Compromise to AWS Administrator in 72 Hours
- Javier Conejo del Cerro
- hace 2 horas
- 4 Min. de lectura
A sophisticated cloud intrusion attributed to threat actor UNC6426 demonstrates how a single supply-chain compromise can cascade into a full cloud breach within days. The attackers leveraged credentials stolen during the August 2025 compromise of the nx npm package, ultimately escalating privileges inside a victim’s AWS environment and gaining full administrative control in less than 72 hours.
The attack illustrates the growing convergence between software supply-chain attacks, CI/CD exploitation, and cloud privilege escalation. By chaining together a compromised developer dependency, stolen GitHub credentials, and overly permissive cloud roles, the attackers moved rapidly from developer workstation access to complete control over production infrastructure. The incident also highlights a new emerging risk: AI-assisted supply-chain abuse, where attackers leverage AI-integrated developer tools already present in the environment to extract sensitive information.
Phase 1 — Supply-Chain Compromise of the nx npm Package
The attack chain began months earlier during the August 2025 compromise of the nx npm package, a widely used development dependency.
Threat actors exploited a vulnerable pull_request_target workflow, in a technique known as a “Pwn Request.” This attack allowed them to gain elevated privileges within the repository’s CI environment.
With this access, the attackers were able to:
obtain sensitive repository credentials, including GITHUB_TOKEN
inject malicious code into the build pipeline
publish trojanized versions of the nx package to the npm registry
These modified packages contained a postinstall script, ensuring that malicious code would execute automatically when developers installed or updated the dependency.
Phase 2 — QUIETVAULT Credential Theft
The trojanized npm packages deployed a JavaScript credential-stealing tool called QUIETVAULT.
When executed, the malware harvested:
environment variables
system information
authentication tokens
GitHub Personal Access Tokens (PATs)
Instead of implementing complex scanning logic itself, QUIETVAULT exploited an AI-assisted developer tool already installed on the endpoint. Using prompts directed at the Large Language Model integration, the malware instructed the tool to search the developer’s environment for sensitive credentials.
The stolen data was then uploaded to a public GitHub repository named:
/s1ngularity-repository-1
This approach allowed attackers to exfiltrate secrets without deploying additional network malware or command-and-control infrastructure.
The compromise was triggered when an employee at the victim organization launched a code editor using the Nx Console plugin, which automatically updated the compromised dependency and executed the malicious script.
Phase 3 — GitHub Reconnaissance and CI/CD Secret Extraction
Two days after the initial compromise, UNC6426 began reconnaissance inside the organization’s GitHub environment.
Using the stolen GitHub PAT, the attackers deployed a legitimate open-source tool called Nord Stream to extract secrets from the organization’s CI/CD pipelines.
This allowed them to obtain credentials belonging to a GitHub service account used for automated deployment tasks.
With this account, the attackers gained access to sensitive automation workflows and began mapping the cloud infrastructure linked to the repository.
Phase 4 — Exploiting GitHub-to-AWS OIDC Trust
The next stage involved exploiting the organization’s GitHub-to-AWS OpenID Connect (OIDC) trust relationship.
Using the service account credentials and Nord Stream’s --aws-role parameter, UNC6426 generated temporary AWS Security Token Service (STS) tokens for the role:
Actions-CloudFormation
This role was intended to allow GitHub Actions workflows to deploy infrastructure automatically.
However, the role was overly permissive, allowing the attackers to execute privileged infrastructure changes inside the AWS environment.
Phase 5 — Privilege Escalation to AWS Administrator
After gaining access to the Actions-CloudFormation role, the attackers escalated privileges by deploying a new AWS CloudFormation stack with the permissions:
CAPABILITY_IAM
CAPABILITY_NAMED_IAM
The stack was designed for one purpose only:
to create a new IAM role and attach the policy:
arn:aws:iam::aws:policy/AdministratorAccess
Through this action, UNC6426 successfully escalated from a stolen GitHub token to full AWS administrator privileges in under 72 hours.
Phase 6 — Data Exfiltration and Infrastructure Destruction
With full administrative access to the cloud environment, the attackers performed several destructive and data-exfiltration actions.
These included:
enumerating and accessing objects stored in AWS S3 buckets
decrypting application keys
terminating EC2 instances
terminating RDS database instances
In the final stage of the intrusion, the attackers modified the victim’s GitHub repositories by renaming them to:
/s1ngularity-repository-[randomcharacters]
They then made all repositories public, effectively leaking the organization’s internal source code.
Measures to Fend Off the Attack
To mitigate attacks of this nature, organizations should implement stronger controls across software supply chains, developer environments, and cloud infrastructure.
Recommended defenses include:
Use package managers that block or sandbox postinstall scripts
Apply the principle of least privilege (PoLP) to CI/CD service accounts
Restrict permissions on OIDC-linked cloud roles
Enforce fine-grained GitHub PATs with short expiration windows
Remove standing privileges for high-risk actions such as IAM role creation
Monitor for anomalous IAM activity and CloudFormation deployments
Audit CI/CD pipelines for secret exposure risks
Implement controls to detect AI-assisted credential harvesting
Monitor developer environments for unexpected dependency updates
The UNC6426 intrusion demonstrates how modern attacks increasingly combine software supply-chain compromise, CI/CD exploitation, and cloud privilege escalation into a single attack chain.
Rather than exploiting traditional vulnerabilities in infrastructure, the attackers leveraged weaknesses in developer workflows and cloud trust relationships, allowing them to pivot quickly from a compromised npm dependency to full administrative control over production systems.
The incident also underscores a new emerging challenge: AI-assisted supply-chain abuse. As AI tools become embedded in developer workflows, they can unintentionally expand the attack surface by granting malware indirect access to sensitive data already accessible to those tools.
For organizations operating in cloud-native environments, protecting the developer supply chain, CI/CD pipelines, and identity-based trust relationships is now just as critical as defending traditional infrastructure.
The Hacker News
Comentarios