UNC6426 Weaponizes Old nx npm Supply Chain Compromise to

UNC6426 Turns a Year-Old npm Compromise Into Full Cloud Annihilation

A previously undisclosed threat actor designated UNC6426 has executed one of the most consequential cloud breaches linked to the nx npm package supply chain attack — achieving full AWS administrator access and destroying an organization's cloud environment in just 72 hours, according to research published March 11, 2026.

The attack is a stark demonstration that supply chain compromises have long tails: keys and tokens stolen during the initial nx package poisoning last year continued to yield high-value access months after the original incident.

Incident Details

How the Attack Unfolded

Phase 1 — QUIETVAULT Executes via Nx Console Update

The attack began when a developer at the victim organization used a code editor application running the Nx Console plugin. During a routine update of the plugin, the process triggered the download of a poisoned nx npm package — one that had been backdoored during last year's supply chain attack.

The malicious package deployed QUIETVAULT, a credential-harvesting implant that silently exfiltrated the developer's GitHub Personal Access Token (PAT) from the local environment. The developer had no indication of compromise.

Phase 2 — CI/CD Secret Extraction via Nord Stream

Two days after QUIETVAULT stole the PAT, UNC6426 began reconnaissance against the victim's GitHub organization. Rather than writing custom tooling, the attackers used Nord Stream — a legitimate open-source utility designed to extract secrets from CI/CD environments — authenticated with the stolen developer token.

Nord Stream enumerated the organization's GitHub Actions workflows and extracted secrets, including the credentials for a GitHub service account used by CI/CD automation pipelines.

Phase 3 — AWS STS Token Escalation

With the service account credentials in hand, UNC6426 used Nord Stream's --aws-role parameter to generate temporary AWS Security Token Service (STS) tokens for the Actions-CloudFormation role — a role that had been granted to the CI/CD service account for infrastructure deployment tasks.

Rather than using this role directly for data theft, UNC6426 deployed a new AWS CloudFormation stack with the following capabilities:

["CAPABILITY_NAMED_IAM", "CAPABILITY_IAM"]

The stack's sole purpose: create a new IAM role and attach the AdministratorAccess policy. Within 72 hours of the initial token theft, UNC6426 had escalated from a stolen developer PAT to full AWS administrator permissions.

Phase 4 — Cloud Destruction and Data Exposure

Armed with administrator access, UNC6426 carried out a systematic destruction campaign:

• Enumerated and accessed all S3 buckets — extracting application data, backups, and configuration files
• Terminated production EC2 instances — taking down all running workloads
• Terminated production RDS instances — destroying live databases
• Decrypted application encryption keys using AWS KMS administrator access
• Renamed all internal GitHub repositories to /s1ngularity-repository-[randomcharacters] and set all repos to public — exposing source code, infrastructure-as-code, and secrets to the internet

Impact Assessment

Recommendations

For Security and Cloud Teams

Treat CI/CD service account tokens as high-value credentials requiring the same protection as admin passwords. Apply least-privilege IAM policies to all roles used in GitHub Actions workflows — CloudFormation roles must never carry blanket AdministratorAccess. Enable AWS CloudTrail with alerting on IAM role creation and policy attachment events.

For Developers

• Never store long-lived tokens in browser profiles, IDE plugins, or developer tools without understanding what has access to them
• Rotate GitHub PATs regularly — treat them as passwords
• Audit installed VS Code / IDE extensions — supply chain attacks frequently target developer tooling
• Report any unexpected software update behavior to your security team

Organizational Controls

• Audit all npm packages and IDE plugins used by developers — check for supply chain indicators from the nx compromise
• Implement GitHub Actions secret scanning — use tools like Gitleaks or GitHub's native secret scanning on all repositories
• Restrict CloudFormation CAPABILITY_NAMED_IAM — require explicit approval for stacks with IAM creation capabilities
• Monitor AWS STS token generation — alert on AssumeRole calls from GitHub Actions outside of expected workflows
• Enforce MFA delete on S3 buckets and enable S3 versioning with object-lock on critical data
• Regularly rotate all CI/CD secrets stored in GitHub Actions — treat them as short-lived credentials

Key Takeaways

1. Supply chain compromises have long tails — credentials stolen months ago are still being weaponized in 2026; organizations should assume stolen tokens from the nx compromise remain active.
2. Legitimate tools are attackers' best friends — Nord Stream, a respected open-source security tool, was the primary attack utility. Security teams must monitor for its use outside expected contexts.
3. CloudFormation CAPABILITY_NAMED_IAM is a privilege escalation path — any role that can deploy CloudFormation stacks with IAM capabilities effectively has administrator access.
4. 72-hour clock is not an anomaly — modern cloud environments grant broad permissions by default; an attacker with one valid token can reach full admin faster than most incident response cycles.
5. GitHub Actions secrets are high-value targets — the CI/CD pipeline is the most privileged system in many cloud architectures, yet often the least monitored.
6. Public repository exposure is irreversible — once source code is made public, all secrets, tokens, and infrastructure patterns it contains must be treated as fully compromised.

Sources

• The Hacker News — UNC6426 Exploits nx npm Supply-Chain Attack to Gain AWS Admin Access in 72 Hours
• SecGuro — UNC6426 Exploits nx npm Supply-Chain Attack
• Bastion Security — npm Supply Chain Attacks 2026: Defense Guide