"The threat actor, UNC6426, then used this access to abuse the GitHub-to-AWS OpenID Connect (OIDC) trust and create a new administrator role in the cloud environment. They abused this role to exfiltrate files from the client's Amazon Web Services (AWS) Simple Storage Service (S3) buckets and performed data destruction in their production cloud environments."
"The packages were found to embed a postinstall script that, in turn, launched a JavaScript credential stealer named QUIETVAULT to siphon environment variables, system information, and valuable tokens, including GitHub Personal Access Tokens (PATs), by weaponizing a Large Language Model (LLM) tool already installed on the endpoint to perform the search."
"The supply chain attack targeting the nx npm package took place in August 2025, when unknown threat actors exploited a vulnerable pull_request_target workflow - an attack type referred to as Pwn Request - to obtain elevated privileges and access sensitive data, including a GITHUB_TOKEN, and ultimately push trojanized versions of the package to the npm registry."
UNC6426 leveraged credentials stolen during an August 2025 supply chain attack on the nx npm package to breach a victim's cloud infrastructure. The attack began when trojanized nx packages containing the QUIETVAULT credential stealer were deployed, which extracted GitHub Personal Access Tokens from developer environments. Using the stolen token, the threat actor abused GitHub-to-AWS OpenID Connect trust relationships to create administrator roles in the victim's AWS environment. This access enabled exfiltration of data from S3 buckets and destruction of production cloud resources. The entire compromise occurred within 72 hours, demonstrating the critical risk posed by supply chain vulnerabilities and stolen developer credentials.
#supply-chain-attack #cloud-security #credential-theft #npm-package-compromise #github-token-exploitation
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]