A threat actor known as UNC6426 used credentials stolen via an August 2025 supply-chain compromise of the nx npm package to fully breach a victimโs cloud environment within 72 hours. They weaponized a postinstall script that deployed the QUIETVAULT credential stealer, abused GitHub-to-AWS OIDC trust to create an Administrator role via CloudFormation, exfiltrated S3 data, and destroyed production resources. #UNC6426 #QUIETVAULT
Keypoints
- The nx npm package was trojanized through a Pwn Request attack, exposing a developerโs GITHUB_TOKEN.
- QUIETVAULT, a JavaScript credential stealer, used an LLM to find and exfiltrate environment variables and tokens to a public GitHub repo.
- UNC6426 used stolen PATs and the Nord Stream tool to leak a GitHub service account and generate AWS STS tokens via the โโaws-roleโ parameter.
- By abusing GitHub-to-AWS OIDC and deploying a CloudFormation stack with IAM capabilities, the attacker created an Administrator role and gained full AWS admin access in under 72 hours.
- The actor exfiltrated S3 data, terminated EC2 and RDS instances, decrypted application keys, and made internal GitHub repos public; mitigations include disabling postinstall scripts, enforcing least privilege, fine-grained short-lived PATs, removing standing privileges, and monitoring IAM and Shadow AI risks.
Read More: https://thehackernews.com/2026/03/unc6426-exploits-nx-npm-supply-chain.html