A Routine Plugin Update Handed Hackers Full AWS Admin Access
A threat group known as UNC6426 went from a stolen token to total cloud takeover in less than three days. Here’s the full breakdown of how it happened.
What Happened?
It started with a supply chain attack on nx, one of the most widely used npm packages in modern JavaScript development. Back in August 2025, unknown attackers exploited a misconfigured GitHub Actions workflow in the nx repository to push trojanized versions of the package to the npm registry. Those versions contained a hidden postinstall script that, when triggered, ran a JavaScript credential stealer called QUIETVAULT.
QUIETVAULT didn’t behave like typical malware. It weaponized an LLM tool already installed on the developer’s machine to hunt for environment variables, system details, and authentication tokens, including GitHub Personal Access Tokens (PATs). All of it got uploaded to a public GitHub repository named /s1ngularity-repository-1.
The specific victim in this case? An employee opened a code editor with the Nx Console plugin installed. A routine update triggered QUIETVAULT. Their GitHub PAT was gone.
What happened next is where it gets worse. UNC6426 used an open-source tool called Nord Stream, designed for extracting secrets from CI/CD environments, to pivot from the stolen token to a GitHub service account. From there, they abused a GitHub-to-AWS OpenID Connect (OIDC) trust relationship to generate temporary AWS credentials. The cloud role they landed in was overly permissive. Within the environment, they deployed a new AWS CloudFormation stack whose only purpose was to create a fresh IAM role with full AdministratorAccess attached to it.
According to Google’s Cloud Threat Horizons Report for H1 2026, the attackers went from stolen token to full AWS admin in under 72 hours.
What’s the Impact?
The damage wasn’t subtle. UNC6426 combed through the victim’s S3 buckets, pulled data, then terminated production EC2 and RDS instances. Application keys were decrypted. And in a final move that reads more like a message than a cleanup, every internal GitHub repository was renamed to /s1ngularity-repository-[randomcharacters] and made public.
This incident also highlights a pattern security researchers are now calling AI-assisted supply chain abuse. QUIETVAULT didn’t need to phone home or hardcode endpoints. It issued natural-language prompts to an AI tool the developer was already running. That’s the part that makes conventional detection miss it entirely.
How to Avoid This
A few things would have stopped or slowed this attack at multiple stages:
Use a package manager or sandbox that blocks postinstall scripts from running without explicit approval. The nx attack depended entirely on that script executing automatically.
Apply the principle of least privilege to every CI/CD service account and every OIDC-linked role. The compromised GitHub Actions role had no business being able to create IAM administrators.
Set short expiration windows on Personal Access Tokens and scope them tightly to specific repositories. A long-lived, broad-scoped PAT is a skeleton key.
Remove standing privileges for high-risk actions entirely. Creating administrator roles shouldn’t be something a pipeline role can do by default.
Monitor IAM activity for anomalous behavior, especially new role creation or policy attachments that weren’t part of a change ticket.
The nx incident is a useful reminder: the weakest point in your cloud security isn’t always a misconfigured firewall. Sometimes it’s an npm update that runs while someone grabs a coffee.
