UNC6426 Exploits nx npm Supply-Chain Attack to Gain AWS Admin Access in 72 Hours

A hacker group called UNC6426 used keys stolen from the nx npm package's supply chain last year to completely break into a victim's cloud environment in just 72 hours This article explores abuse github aws. . The attack began when a hacker stole a developer's GitHub token.

They then used it to get into the cloud without permission and steal data. Google's Cloud Threat Horizons Report for H1 2026 said, "The threat actor, UNC6426, then used this access to abuse the GitHub-to-AWS OpenID Connect (OIDC) trust and create a new administrator role in the cloud environment."

"They used this role to steal files from the client's Amazon Web Services (AWS) Simple Storage Service (S3) buckets and destroy data in their production cloud environments." In August 2025, a supply chain attack on the nx npm package happened. Unknown hackers used a weak pull_request_target workflow to gain higher privileges and access sensitive information, such as a GITHUB_TOKEN.

They then pushed trojanized versions of the package to the npm registry.

The packages had a postinstall script that ran a JavaScript credential stealer called QUIETVAULT. It used a Large Language Model (LLM) tool that was already on the endpoint to search for environment variables, system information, and valuable tokens, such as GitHub Personal Access Tokens (PATs). "The malicious intent is expressed in natural-language prompts rather than explicit network callbacks or hard-coded endpoints, complicating conventional detection approaches," the software supply chain security firm said.

"As AI assistants become more common in the work of developers, they also make it easier for hackers to get in." Any tool that can call them has their reach.