A threat actor tracked as UNC6426 has demonstrated just how devastating a single supply chain compromise can be — using credentials stolen from the nx npm package breach in August 2025 to fully take over a victim's AWS cloud environment in less than 72 hours. What started as a developer running a routine plugin update ended with attackers holding full AWS administrator access, production servers terminated, application databases destroyed, and every internal GitHub repository renamed and made public. The attack was documented in Google's Cloud Threat Horizons Report for H1 2026 and serves as a stark real-world case study in how supply chain breaches have long tails — the initial compromise happened months earlier, but the consequences arrived suddenly and catastrophically.
Affected products
- ·nx npm package (compromised August 2025 via the s1ngularity supply chain attack)
- ·Nx Console VS Code plugin
- ·GitHub Actions with GitHub-to-AWS OIDC trust configurations
- ·AWS IAM roles with overly permissive CloudFormation capabilities
How to Fix
Step-by-step remediation
If your organization or development team used nx packages before September 2025, the first step is assuming potential compromise and conducting a full credential audit. Rotate every GitHub token, AWS access key, and CI/CD secret that existed on developer machines during that window. For AWS specifically, review your GitHub-to-AWS OIDC trust configuration immediately. The vulnerability that made this attack so devastating was an overly permissive IAM role — one that should never have had the ability to create new IAM roles and attach AdministratorAccess to them. Audit every IAM role accessible from GitHub Actions and apply the principle of least privilege ruthlessly. Enable AWS CloudTrail across all regions if you haven't already, and set up automated alerts for any new IAM role creation, AdministratorAccess policy attachments, and unusual CloudFormation stack deployments. Going forward, replace static long-lived credentials in your CI/CD pipelines with just-in-time temporary credentials using AWS STS — these expire automatically and dramatically limit the damage window if they are ever stolen.
What happened
The origin of this attack dates back to August 2025, when the nx npm package — a widely used build system and developer tooling framework with millions of weekly downloads — was compromised in an attack known as s1ngularity. During that four-hour window, attackers who had stolen an nx npm publishing token pushed malicious versions of several nx packages to the npm registry. These malicious versions contained a post-install script that silently scanned developer machines for credentials, secrets, SSH keys, and cloud API keys, exfiltrating everything to attacker-controlled repositories. Tens of thousands of files and over two thousand distinct secrets were exposed across the developer community. UNC6426 was sitting on one of those stolen credentials for months before acting. The attack on the victim organization began when an employee ran a code editor using the Nx Console plugin, which triggered an update and executed the malicious payload known as QUIETVAULT. That single action handed UNC6426 a developer's GitHub Personal Access Token.
Real-World Impact
With the stolen token in hand, UNC6426 moved fast and methodically. Two days after the initial compromise they used an open-source tool designed to extract secrets from CI/CD environments to enumerate the victim's GitHub environment and steal credentials for a GitHub service account. They then used that service account with a specific parameter to generate temporary AWS Security Token Service tokens for the organization's Actions-CloudFormation role. The critical weakness here was that the CloudFormation role was overly permissive. UNC6426 used its permissions to deploy a new AWS CloudFormation stack with one sole purpose — creating a new IAM role and attaching the AdministratorAccess policy directly to it. From a stolen developer token to full AWS administrator access in under 72 hours. From there the destruction was systematic: attackers enumerated and accessed all S3 buckets, terminated production EC2 and RDS instances, decrypted application keys, and in the final stage renamed every internal GitHub repository with the /s1ngularity-repository prefix and made them all public.
Technical Details
🛡️ Prevention Tips
This attack illustrates a problem that organizations consistently underestimate: the gap between when credentials are stolen and when they are used. UNC6426 held that stolen token for months before acting. Standard credential rotation policies with fixed intervals are not enough — you need continuous monitoring for anomalous access patterns. Any time a CI/CD role performs actions outside its normal behavior profile — especially IAM role creation or policy attachment — that should trigger an immediate alert. Implement software composition analysis in your development pipeline to monitor the integrity of npm packages and flag unexpected post-install scripts. For organizations using GitHub Actions, enforce OIDC-based authentication that generates temporary credentials at runtime and eliminates long-lived secrets from your pipelines entirely.
FAQs
I use nx in my projects. Am I at risk right now?
If you were using nx packages before September 2025 and have not already rotated your credentials, you should treat your GitHub tokens and AWS credentials as potentially compromised. The malicious versions were active for a short window in August 2025 but the stolen credentials can be used at any time afterward — as this attack demonstrates.
What is the nx package and why is it so widely used?
nx is a build system and developer tooling framework used by millions of developers to manage monorepos and streamline large-scale JavaScript and TypeScript projects. Its widespread adoption is what made the supply chain compromise so significant — a single poisoned package can affect thousands of organizations simultaneously.
Read Next
chrome · cve 2026 0628
"Glic Jack" — Chrome Vulnerability Let Malicious Extensions Hijack Gemini Panel and Access Your Camera, Files, and Mic
axios · npm
North Korea's UNC1069 Backdoored Axios npm Package — 183 Million Weekly Downloads Exposed to WAVESHAPER.V2 Backdoor
glassworm · forcememo
GlassWorm ForceMemo: Stolen GitHub Tokens Used to Silently Inject Malware Into 240+ Python Repositories — Attack Still Active
weekly roundup · cybersecurity
This Week in Cybersecurity — April 11, 2026: npm Backdoors, Adobe Zero-Day, Docker Escape & More
npm · strapi