A recent cybersecurity investigation revealed how a threat actor called UNC6426 managed to compromise a company’s cloud environment in less than 72 hours. The attackers used credentials stolen during the earlier Nx npm supply-chain incident. With those credentials, they were able to enter the organization’s development environment. Researchers say the case shows how fast attackers can move once developer systems are compromised.

Illustration of AWS cloud infrastructure representing attackers gaining unauthorized administrator access to a cloud environment.

The attack began when a GitHub token belonging to a developer was stolen during the Nx package compromise. This token allowed the attacker to access parts of the organization’s development workflow. From there, they took advantage of the GitHub-to-AWS OpenID Connect trust relationship. This connection made it possible to create new cloud permissions inside the company’s AWS account.

The incident is linked to the Nx npm supply-chain breach that happened in August 2025. Nx is a popular build system used in many JavaScript and web development projects. Attackers exploited a weakness in a GitHub Actions workflow used by the project. Through this weakness, they gained access to automation tokens used in the package release process.

GitHub logo surrounded by terminal code screens symbolizing a stolen GitHub token used to infiltrate a development environment.

After gaining access to these tokens, the attackers published malicious versions of Nx packages on npm. These packages contained a hidden script that executed automatically during installation. The script silently installed a credential-stealing malware called QUIETVAULT. Most developers who installed the package were unaware that any malicious activity was taking place.

QUIETVAULT was designed to collect sensitive data from infected systems. It gathered environment variables, system details, and developer credentials. It also searched for GitHub personal access tokens and other development secrets. The stolen data was then uploaded to a GitHub repository controlled by the attackers.

Close-up of password and login text on a binary code screen representing stolen developer credentials used in a cyberattack.

In the affected organization, a developer unknowingly triggered the malware while using the Nx Console plugin in a code editor. The plugin performed an automatic package update, which executed the malicious script. This allowed the attacker to capture the developer’s GitHub token. With that token, they were able to start exploring the company’s GitHub environment.

The attackers then used an open-source reconnaissance tool called Nord Stream to scan the organization’s CI/CD pipelines. During this process, they discovered credentials belonging to a GitHub service account. Using those credentials, they generated temporary AWS security tokens. Because the cloud role had broad permissions, they quickly escalated their access.

Digital security lock on a circuit board representing software supply-chain security risks and malware threats.

To complete the attack, the threat actor deployed a new AWS stack that created an IAM role with full AdministratorAccess permissions. This gave them full control over the AWS environment in less than three days. They accessed S3 data, terminated EC2 servers, shut down RDS databases, and decrypted sensitive keys. Finally, they renamed and made internal GitHub repositories public, exposing additional information.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news