UNC6426 Exploits nx npm Supply-Chain Attack to Gain AWS Admin Access in 72 Hours

2026-03-11

1 min read

by info@thehackernews.com (The Hacker News)

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

This article covers how threat actor UNC6426 exploited the nx npm supply chain attack to fully compromise a victim's AWS environment within 72 hours.

•The attack began with theft of a developer's GitHub Personal Access Token (PAT) via a trojanized nx npm package containing a postinstall script that ran a credential stealer called QUIETVAULT.
•QUIETVAULT weaponized an LLM tool already installed on the endpoint to scan for sensitive environment variables and tokens, uploading stolen data to a public GitHub repository.
•UNC6426 used the stolen PAT with Nord Stream tool to extract CI/CD secrets and generate temporary AWS STS tokens via an overly permissive GitHub-Actions-CloudFormation role.
•The attackers escalated to full AWS administrator access by deploying a new IAM stack with AdministratorAccess policy, then exfiltrated S3 data, terminated EC2/RDS instances, and made all internal GitHub repos public.

Related Articles