UNC6426's Rapid Exploitation of nx npm Supply Chain: A 72-Hour Breach to AWS Admin Access
Executive Summary
In August 2025, the threat actor UNC6426 exploited a supply chain vulnerability in the nx npm package to infiltrate a victim's cloud environment. The attackers published malicious versions of the nx package, which, when installed, exfiltrated developer credentials, including GitHub tokens. Utilizing these stolen tokens, UNC6426 gained unauthorized access to the victim's GitHub account, abused the GitHub-to-AWS OpenID Connect (OIDC) trust relationship to create a new AWS administrator role, and within 72 hours, exfiltrated data from Amazon S3 buckets and destroyed production environments. This incident underscores the escalating sophistication of supply chain attacks, where attackers leverage trusted relationships between development tools and cloud services to escalate privileges rapidly. The breach highlights the critical need for organizations to implement stringent security measures, such as enforcing the principle of least privilege, regularly rotating credentials, and monitoring for anomalous activities within their CI/CD pipelines and cloud environments.
Why This Matters Now
The UNC6426 attack exemplifies the growing threat of supply chain compromises, emphasizing the urgency for organizations to fortify their software development and deployment processes against such sophisticated attacks.
Attack Path Analysis
UNC6426 initiated the attack by compromising the nx npm package, leading to the theft of a developer's GitHub token. Utilizing this token, they escalated privileges by abusing the GitHub-to-AWS OpenID Connect trust to create a new AWS administrator role. With elevated access, they moved laterally within the AWS environment, accessing and exfiltrating data from S3 buckets. The attackers established command and control by deploying malicious scripts and maintaining persistent access. They exfiltrated sensitive data from the compromised S3 buckets. Finally, they inflicted impact by terminating production EC2 and RDS instances and making internal GitHub repositories public.
Kill Chain Progression
Initial Compromise
Description
UNC6426 compromised the nx npm package, leading to the theft of a developer's GitHub token.
MITRE ATT&CK® Techniques
Compromise Software Dependencies and Development Tools
Valid Accounts
Use Alternate Authentication Material: Application Access Token
Valid Accounts: Cloud Accounts
Account Manipulation
Data from Cloud Storage Object
Data Destruction
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure the integrity of software and firmware
Control ID: 6.3.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Security of Network and Information Systems
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Supply chain attacks targeting npm packages directly compromise software development workflows, enabling credential theft and cloud infrastructure breaches within developer environments.
Information Technology/IT
GitHub-to-AWS OIDC trust abuse and administrator role escalation expose critical cloud infrastructure vulnerabilities, requiring enhanced zero trust segmentation and privilege controls.
Financial Services
Rapid 72-hour compromise timeline threatens regulated environments requiring HIPAA/PCI compliance, with data exfiltration risks necessitating enhanced egress security and anomaly detection.
Computer/Network Security
AI-assisted attack methodologies using LLMs for credential harvesting represent emerging threat vectors requiring updated detection approaches for shadow AI and prompt injection risks.
Sources
- UNC6426 Exploits nx npm Supply-Chain Attack to Gain AWS Admin Access in 72 Hourshttps://thehackernews.com/2026/03/unc6426-exploits-nx-npm-supply-chain.htmlVerified
- Cloud Threat Horizons Report H1 2026https://cloud.google.com/security/report/resources/cloud-threat-horizons-report-h1-2026?e=48754805#from-cicd-to-cloud-compromise-real-world-breach-using-openid-connect-abuse-9Verified
- Malicious Nx Packages in ‘s1ngularity’ Attack Leaked 2,349 GitHub, Cloud, and AI Credentialshttps://thehackernews.com/2025/08/malicious-nx-packages-in-s1ngularity.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF may not prevent the initial compromise, it could limit the attacker's subsequent actions by enforcing strict access controls and segmentation.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could likely limit the attacker's ability to escalate privileges by enforcing strict identity-based access controls.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could likely constrain the attacker's lateral movement by enforcing strict segmentation and monitoring internal traffic.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could likely detect and limit unauthorized command and control activities by providing comprehensive monitoring and control across cloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could likely limit data exfiltration by enforcing strict outbound traffic policies and monitoring egress points.
While Aviatrix CNSF may not prevent the initial compromise, it could limit the attacker's ability to escalate privileges, move laterally, and exfiltrate data, thereby reducing the overall impact of the attack.
Impact at a Glance
Affected Business Functions
- Software Development
- Cloud Infrastructure Management
- Data Storage and Management
Estimated downtime: 3 days
Estimated loss: $50,000
Exposure of sensitive credentials including GitHub tokens and AWS keys, leading to unauthorized access and potential data exfiltration.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and prevent unauthorized lateral movement within cloud environments.
- • Utilize East-West Traffic Security controls to monitor and restrict internal traffic, mitigating the risk of lateral movement by attackers.
- • Deploy Egress Security & Policy Enforcement mechanisms to control outbound traffic and prevent unauthorized data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
- • Apply Cloud Native Security Fabric (CNSF) controls to enforce distributed policies and real-time inspection, reducing the risk of initial compromise and privilege escalation.
