By rssfeeds-admin 
This breach highlights the growing dangers of supply-chain attacks and misconfigured cloud environments, particularly in automated pipelines.
Continuous Integration / Continuous Delivery (CI/CD) pipelines have revolutionized software development by automating testing and deployment.
Linked directly to cloud environments such as AWS, these pipelines often use OpenID Connect (OIDC) for identity management, granting CI/CD tools permission to interact with the cloud without hardcoding credentials.
Although secure in theory, Mandiant’s investigation shows how attackers are now targeting this identity store, turning CI/CD systems into a direct access vector for cloud environments.
UNC6426 Attack Path
Phase 1 – Supply Chain Infection (Nx Compromise)
The attack began with the compromise of the Nx NPM package, a popular JavaScript framework. On August 24, 2025, attackers injected malicious code named QUIETVAULT into the package.
This code executed a postinstall script designed to steal environment variables, system information, and critical tokens, including GitHub Personal Access Tokens (PATs), once the package was installed or updated.
Phase 2 – Initial Client Compromise Using Corporate Endpoint
The victim’s corporate environment was compromised when an employee unknowingly ran a code editor that triggered the Nx Console update. The QUIETVAULT malware executed, stealing the developer’s GitHub PAT and uploading it to a public GitHub repository.
This compromised token gave the attackers access to the client’s GitHub environment. The malware also leveraged a Large Language Model (LLM) to attempt system enumeration and find additional targets within the system.
Phase 3 – Pivot: From GitHub to AWS Using OIDC
Two days after the initial compromise, UNC6426 used the stolen GitHub PAT to run NORDSTREAM, a tool designed to extract secrets from CI/CD environments.
This tool exposed the credentials of a GitHub service account, which UNC6426 used to leverage the GitHub-to-AWS OIDC trust relationship. By exploiting this trust, they obtained temporary AWS Security Token Service (STS) tokens, which granted them access to the AWS environment.
Phase 4 – Privilege Escalation Using CloudFormation
With limited access, the attackers used the compromised GitHub Actions CloudFormation role to deploy a new AWS Stack with overly permissive permissions.
This stack created a new IAM role and attached the AdministratorAccess policy, granting UNC6426 full administrative privileges over the AWS environment in less than 72 hours.
Phase 5 – Impact: Data Exfiltration and Destruction
With full administrator access, UNC6426 enumerated and accessed sensitive data in the S3 buckets, terminated critical EC2 and RDS instances, and decrypted application keys.
Google also renamed internal GitHub repositories and made them public, exfiltrating valuable intellectual property.
Fortunately, the victim organization detected the breach three days after the initial compromise and quickly contained the incident, removing unauthorized access.
However, the attack highlights the risks posed by overly permissive trust in CI/CD pipelines. It underscores the importance of securing every component of the software supply chain.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post UNC6426 Turns NPM Supply‑Chain Breach Into Full AWS Admin Access appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.