The attacker, known as UNC6426, leveraged keys stolen after last year’s nx npm package supply chain breach to fully compromise victims’ cloud environments within 72 hours.
The attack began with the theft of a developer’s GitHub token, which the threat actor used to gain unauthorized access to the cloud and steal data.
“Threat actors UNC6426 used this access to exploit the OpenID Connect (OIDC) trust between GitHub and AWS and created a new administrator role in their cloud environment,” Google said in its Cloud Threat Horizons report for the first half of 2026. “They exploited this role to access clients’ Amazon Web Services (AWS) Simple Storage. “We extracted files from the service (S3) bucket and performed data destruction in the production cloud environment.”
A supply chain attack targeting the nx npm package occurred in August 2025. At this time, an unknown attacker exploited a vulnerable pull_request_target workflow (an attack type known as Pwn Request) to gain elevated privileges, access sensitive data including GITHUB_TOKEN, and ultimately push a trojanized version of the package to the npm registry.
This package was found to have an embedded post-installation script. The script launches a JavaScript credential stealer named QUIETVAULT and siphons valuable tokens such as environment variables, system information, and GitHub Personal Access Tokens (PATs) by weaponizing the Large Language Model (LLM) tool already installed on the endpoint to perform searches. The data was uploaded to a public GitHub repository named ‘/s1ngularity-repository-1’.
According to Google, an employee of the victim organization ran a code editor application that used the Nx Console plugin, and the process triggered an update that resulted in QUIETVAULT being executed.
UNC6426 allegedly used the stolen PAT to begin reconnaissance operations within the client’s GitHub environment two days after the initial breach, in which it used a legitimate open source tool called Nord Stream to extract secrets from the CI/CD environment and leak GitHub service account credentials.
The attackers then exploited this service account and used the utility’s “–aws-role” parameter to generate temporary AWS Security Token Service (STS) tokens for the “Actions-CloudFormation” role, ultimately allowing them to gain a foothold in the victim’s AWS environment.
“The role of the compromised Github-Actions-CloudFormation was overly permissive,” Google said. “UNC6426 used this permission to deploy a new AWS stack with the feature [“CAPABILITY_NAMED_IAM”,”CAPABILITY_IAM”]. The sole purpose of this stack was to create a new IAM role and attach the arn:aws:iam::aws:policy/AdministratorAccess policy to it. UNC6426 successfully escalated the stolen token to full AWS administrator privileges within 72 hours. ”
Equipped with a new administrator role, the attacker performed a series of actions, including enumerating and accessing objects in an S3 bucket, terminating production Elastic Compute Cloud (EC2) and Relational Database Service (RDS) instances, and decrypting application keys. In the final stage, all of the victim’s internal GitHub repositories were renamed to ‘/s1ngularity-repository-‘.[randomcharacters]” was released.
To combat such threats, use a package manager that prevents post-installation scripts and sandboxing tools, enforce the principle of least privilege (PoLP) on CI/CD service accounts and OIDC-linked roles, enforce fine-grained PATs with short expiration times and specific repository permissions, remove fixed permissions for risky actions such as creating administrator roles, monitor for anomalous IAM activity, and use Shadow AI. We recommend implementing strong controls to detect risks.
The incident highlights what Socket described as an AI-powered supply chain abuse in which execution is offloaded to an AI agent that already has privileged access to a developer’s file system, credentials, and authenticated tools.
“Malicious intent is expressed through natural language prompts rather than explicit network callbacks or hard-coded endpoints, complicating traditional detection approaches,” the software supply chain security firm said. “As AI assistants become more integrated into developer workflows, the attack surface also expands. Any tool that can invoke an AI assistant will inherit that scope.”
Source link
