In 2025, Mandiant found out that the threat group UNC6426 had launched a complex attack that used a hacked NPM package to take complete control of a client's AWS cloud environment in less than 72 hours This article explores cloud environments dangerous. . This breach shows how supply-chain attacks and poorly set up cloud environments are becoming more dangerous, especially in automated pipelines.
Continuous Integration/Continuous Delivery (CI/CD) pipelines have changed the way software is made by automating testing and deployment. These pipelines are often linked directly to cloud environments like AWS and use OpenID Connect (OIDC) for identity management. This lets CI/CD tools talk to the cloud without having to hardcode credentials. Mandiant's investigation shows that attackers are now targeting this identity store, making CI/CD systems a direct way for them to get into cloud environments, even though they should be safe in theory.
Path of the UNC6426 Attack (Source: Google) Phase 1: Infection of the supply chain (Nx Compromise) The Nx NPM package, a well-known JavaScript framework, was hacked first in the attack. On August 24, 2025, hackers put bad code called QUIETVAULT into the package. This code ran a postinstall script that stole environment variables, system information, and important tokens, such as GitHub Personal Access Tokens (PATs), after the package was installed or updated.
Phase 2: The first breach of a client using a corporate endpoint An employee unknowingly ran a code editor that caused the Nx Console update, which put the victim's business at risk. The QUIETVAULT malware executed, stealing the developer’s GitHub PAT and uploading it to a public GitHub repository.
The attackers were able to get into the client's GitHub environment because of this compromised token. The malware also used a Large Language Model (LLM) to try to find more targets in the system by listing all of the system's components. Phase 3: Move from GitHub to AWS with OIDC Two days after the first breach, UNC6426 used the stolen GitHub PAT to run NORDSTREAM, a tool that gets secrets from CI/CD environments.
This tool revealed the login information for a GitHub service account, which UNC6426 used to take advantage of the GitHub-to-AWS OIDC trust relationship. They used this trust to get temporary AWS Security Token Service (STS) tokens, which let them into the AWS environment.
Step 4: Using CloudFormation to Get More Privileges With limited access, the attackers used the compromised GitHub Actions CloudFormation role to set up a new AWS Stack with permissions that were too broad. This stack made a new IAM role and added the AdministratorAccess policy, giving UNC6426 full control over the AWS environment in less than 72 hours. Phase 5: The effect is data theft and destruction.
With full administrator access, UNC6426 listed and accessed sensitive data in the S3 buckets, shut down important EC2 and RDS instances, and decrypted application keys. Google also changed the names of private GitHub repositories and made them public, stealing valuable intellectual property. Fortunately, the victim organization found out about the breach three days after it happened and quickly fixed the problem, stopping unauthorized access.
But the attack shows how dangerous it is to trust CI/CD pipelines too much. It shows how important it is to protect every part of the software supply chain.
