UNC6426 Exploits nx npm Supply-Chain Attack to Gain AWS Admin Access in 72 Hours

UNC6426: From npm Supply Chain to AWS Admin in 72 Hours

UNC6426 exploited the nx npm package supply chain compromise to steal a developer's GitHub token, then pivoted to AWS via OIDC trust in just 72 hours.

The attacker created a new AWS administrator role by abusing GitHub-to-AWS OpenID Connect trust, exfiltrated files from S3, and performed data destruction in production environments.

Google's Cloud Threat Horizons Report details the full attack chain, highlighting how a single compromised npm package can cascade into complete cloud takeover.

The Full Story

The nx supply chain attack received modest attention when first disclosed. A threat actor exploited a vulnerable pull_request_target GitHub Actions workflow to inject malicious code. What wasn't known was how far the downstream impact would reach.

The Attack Chain

Stage 1: Attacker gained access to a developer's GitHub PAT via compromised nx package. Stage 2: Mapped victim org's repos and CI/CD, identified GitHub Actions with OIDC trust to AWS. Stage 3: Abused GitHub-to-AWS OIDC trust to create a new administrator IAM role. Stage 4: Enumerated and exfiltrated S3 buckets (customer databases, configs). Stage 5: Performed data destruction in production cloud environments.

So What? — Market Impact

For platform engineers: Audit your GitHub-to-AWS OIDC trust configurations immediately. Apply condition constraints limiting which repos/branches can assume IAM roles. For the npm ecosystem: This is the highest-impact npm supply chain attack documented to date.

Sources

Google Cloud Threat Horizons Report H1 2026

The Hacker News: "UNC6426 Exploits nx npm Supply-Chain Attack"