UNC6426 hackers turned a routine NPM update into a direct path to full AWS administrator access in under 72 hours, highlighting how fragile CI/CD-to-cloud trust can become when roles are overly permissive.
When a developer at the victim organization updated or installed the affected package via a code editor plugin, the postinstall script silently executed on their workstation.
QUIETVAULT scanned the system for environment variables, configuration files, and especially GitHub Personal Access Tokens (PATs), then exfiltrated the stolen data to a public GitHub repository controlled by the attackers.
This meant that a routine developer action updating a trusted package immediately exposed high-value credentials without any direct interaction with the cloud environment.
Within the same day, the unknown initial operators used the stolen PAT to make unauthorized requests into the victim’s GitHub organization, establishing a foothold in the software supply chain layer rather than the cloud perimeter itself.
According to incident response findings, the attack began when an upstream compromise injected malicious code, dubbed QUIETVAULT, into the popular Nx NPM framework.
The case also shows early use of local large language model tooling by the malware to speed up file discovery, essentially turning the developer’s own AI-enabled environment into a credential-harvesting assistant.
From GitHub to AWS in three days
Two days after the first compromise, the intrusion was taken over by a financially motivated cluster tracked as UNC6426, which focused on CI/CD identities.
Threat actors exploited third-party software-based entry (44.5%) more frequently than weak credentials a significant increase from the 2.9% observed in H1 2025.
On day three, the attackers abused the legitimate OpenID Connect (OIDC) trust between GitHub Actions and AWS, using NORDSTREAM’s “–aws-role” capability to mint temporary AWS Security Token Service (STS) credentials for a role named Github-Actions-CloudFormation.
This move did not require any static AWS keys; it relied entirely on the existing identity federation that was intended to enable passwordless deployments.
UNC6426 used a tool called NORDSTREAM to enumerate secrets and deploy malicious pipelines within GitHub, extracting credentials for a GitHub service account tied into the organization’s CI/CD workflows.
Critically, the Github-Actions-CloudFormation role was far too powerful for a CI/CD identity. UNC6426 used it to deploy a new CloudFormation stack with capabilities that allowed creation and modification of IAM entities, then created a new IAM role and attached the AWS managed AdministratorAccess policy.
In less than 72 hours from the first NPM-triggered execution, the attackers had escalated from a single stolen GitHub token to a standing AWS administrator role in the victim’s production environment.
In 35% of cases where data exfiltration occurred, the malicious insider absconded with data through multiple paths such as a combination of email and cloud or USB storage device and cloud.
With full administrator rights, UNC6426 quickly shifted to data theft and destructive actions. They enumerated and accessed objects across multiple S3 buckets, exfiltrating sensitive files while also terminating critical Elastic Compute Cloud (EC2) and Relational Database Service (RDS) instances to disrupt operations.
Impact: S3 data theft and cloud destruction
The attackers also decrypted application keys, expanding their ability to pivot and potentially compromise additional services that depended on those secrets.
To increase pressure and chaos, UNC6426 renamed all internal GitHub repositories to variants of “s1ngularity-repository-…” and made them public, amplifying both operational impact and reputational risk.
GTIG observed UNC4899 using LOTC techniques and legitimate binaries and orchestration tools to mask their malicious intent following the initial compromise.
The victim detected the malicious activity approximately three days after initial compromise and moved quickly to revoke access, remove the rogue IAM role, and clean up the CI/CD configuration.
To help address the faster pace of modern breaches, organizations should structure their response capabilities into an integrated pipeline that functions independently of manual intervention.
Even with rapid containment, the incident underscores how CI/CD-linked identities and OIDC trust, if not tightly scoped, can turn a single compromised developer machine into a full cloud takeover.
It also illustrates the emerging pattern of attackers chaining supply chain compromise, developer endpoints, CI/CD pipelines, and federated cloud roles into one continuous kill chain that completes in days rather than weeks.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
