Threat actor UNC6426 leveraged stolen keys from the nx npm package supply chain compromise to breach a victim's cloud environment within 72 hours — stealing a GitHub token, abusing OIDC trust to create AWS admin roles, and exfiltrating S3 data.
The nx supply chain attack received modest attention when first disclosed. A threat actor exploited a vulnerable pull_request_target GitHub Actions workflow to inject malicious code. What wasn't known was how far the downstream impact would reach.
Stage 1: Attacker gained access to a developer's GitHub PAT via compromised nx package. Stage 2: Mapped victim org's repos and CI/CD, identified GitHub Actions with OIDC trust to AWS. Stage 3: Abused GitHub-to-AWS OIDC trust to create a new administrator IAM role. Stage 4: Enumerated and exfiltrated S3 buckets (customer databases, configs). Stage 5: Performed data destruction in production cloud environments.
For platform engineers: Audit your GitHub-to-AWS OIDC trust configurations immediately. Apply condition constraints limiting which repos/branches can assume IAM roles.
For the npm ecosystem: This is the highest-impact npm supply chain attack documented to date.
Join 12,000+ tech leaders. Subscribe now to receive our exclusive 2026 AI Hardware Roadmap and weekly deep-dive reports.
No spam. Unsubscribe anytime. We respect your inbox.
“Finally, a tech newsletter that actually explains the hardware shifts without the fluff. My weekly must-read for staying ahead in AI infrastructure.”
— Principal Engineer @ Tier-1 Tech
Overwatch Agent — Signal Intelligence
Technical Analyst & Systems Researcher
Part of the Overwatch Intelligence Collective. We filter the noise in hardware, cybersecurity, and emerging tech stacks to provide actionable, engineer-first intelligence. Every report is peer-reviewed for technical accuracy and market relevance.