UNC6426 Exploits npm Supply Chain Attack to Compromise AWS Environment in 72 Hours
A threat group identified as UNC6426 achieved full compromise of an organization’s AWS environment within 72 hours by leveraging credentials stolen during the August npm supply chain attack targeting Nx, an open-source codebase management platform. The findings, detailed in Google’s Cloud Threat Horizons Report for H1 2026, highlight a rapid and multi-stage intrusion.
After exfiltrating keys in the initial attack, UNC6426 accessed the victim’s GitHub repository, enumerated the environment, and exploited the CI/CD pipeline to obtain AWS API keys. Using these credentials, the group generated temporary AWS Security Token Service (STS) tokens to infiltrate the AWS environment, where they:
- Enumerated and accessed S3 bucket objects
- Terminated production EC2 and RDS instances
- Decrypted application keys
- Renamed and made public the organization’s GitHub repositories
The attack underscores the risks of supply chain compromises and the need for enhanced security controls, including package managers that restrict postinstall scripts, sandboxing tools, and monitoring for suspicious IAM activity. The incident also highlights vulnerabilities tied to shadow AI deployments.
Source: https://www.scworld.com/brief/nx-npm-supply-chain-hack-weaponized-to-breach-aws-environment
Nx cybersecurity rating report: https://www.rankiteo.com/company/nx
"id": "NX1773383570",
"linkid": "nx",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'type': 'Organization'}],
'attack_vector': ['Stolen Credentials', 'CI/CD Pipeline Exploitation'],
'data_breach': {'data_encryption': 'Decrypted application keys',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['AWS API keys',
'Application keys',
'S3 bucket objects']},
'date_publicly_disclosed': '2026-01-01',
'description': 'A threat group identified as UNC6426 achieved full compromise '
'of an organization’s AWS environment within 72 hours by '
'leveraging credentials stolen during the August npm supply '
'chain attack targeting Nx, an open-source codebase management '
'platform. The group accessed the victim’s GitHub repository, '
'enumerated the environment, and exploited the CI/CD pipeline '
'to obtain AWS API keys. Using these credentials, they '
'generated temporary AWS Security Token Service (STS) tokens '
'to infiltrate the AWS environment, where they enumerated and '
'accessed S3 bucket objects, terminated production EC2 and RDS '
'instances, decrypted application keys, and renamed and made '
'public the organization’s GitHub repositories.',
'impact': {'brand_reputation_impact': 'Public exposure of GitHub repositories',
'data_compromised': 'AWS API keys, application keys, S3 bucket '
'objects',
'operational_impact': 'Termination of production EC2 and RDS '
'instances',
'systems_affected': ['AWS environment',
'GitHub repositories',
'CI/CD pipeline']},
'initial_access_broker': {'entry_point': 'npm supply chain attack (Nx '
'platform)'},
'lessons_learned': 'The attack underscores the risks of supply chain '
'compromises and the need for enhanced security controls, '
'including package managers that restrict postinstall '
'scripts, sandboxing tools, and monitoring for suspicious '
'IAM activity.',
'post_incident_analysis': {'root_causes': 'Supply chain compromise, stolen '
'credentials, CI/CD pipeline '
'exploitation'},
'recommendations': ['Restrict postinstall scripts in package managers',
'Implement sandboxing tools',
'Monitor for suspicious IAM activity',
'Address vulnerabilities tied to shadow AI deployments'],
'references': [{'date_accessed': '2026-01-01',
'source': 'Google Cloud Threat Horizons Report'}],
'threat_actor': 'UNC6426',
'title': 'UNC6426 Exploits npm Supply Chain Attack to Compromise AWS '
'Environment in 72 Hours',
'type': 'Supply Chain Attack',
'vulnerability_exploited': 'npm supply chain compromise (Nx platform)'}