A threat actor identified as UNC6426 used credentials stolen during a software supply chain attack to gain administrative control over a victim’s Amazon Web Services environment within 72 hours. The attack, which occurred following the compromise of the popular “nx” npm package in late 2023, underscores the escalating risks posed by dependencies in modern software development. Security researchers confirmed the incident, highlighting how a single stolen developer token can lead to a full-scale cloud infrastructure compromise.
Attack Timeline and Methodology
The intrusion began when UNC6426 obtained a GitHub personal access token belonging to a developer at the target organization. This token was originally exposed during the supply chain attack on the “nx” package, a widely used build system for monorepos. The threat actor then used this stolen token to authenticate to the victim’s cloud services.
Once initial access was established, UNC6426 moved rapidly to escalate privileges within the AWS account. The actor’s actions over the next three days culminated in the acquisition of full administrative rights, known as “root” access. This level of control effectively gave the attacker ownership of the entire cloud environment, including the ability to create, modify, or delete any resource and exfiltrate data.
Background on the nx Package Compromise
The initial supply chain attack that enabled this breach dates back to October 2023. Malicious actors compromised the “nx” npm package by publishing trojanized versions. Developers who unknowingly used these compromised versions had sensitive credentials, including GitHub tokens and cloud access keys, harvested from their systems. The package maintainers and npm’s security team addressed the issue, but stolen credentials remained in circulation for threat actors to exploit.
This incident is a direct consequence of that earlier, widespread software supply chain attack. It demonstrates the long-tail risk of such compromises, where stolen credentials can be weaponized months after the initial vulnerability is patched.
Implications for Cloud and Development Security
The speed of the breach is a critical concern for security professionals. The transition from a stolen developer token to full AWS admin control in just 72 hours indicates a highly automated and targeted attack process. It highlights the inherent danger of over-permissive access tokens and the critical need for robust identity and access management (IAM) policies in cloud environments.
Furthermore, the attack chain illustrates the profound impact supply chain security can have on overall organizational security. A vulnerability in a single, third-party software component served as the entry point for a catastrophic cloud breach. This reinforces the necessity for developers and organizations to rigorously audit dependencies, implement least-privilege access, and actively monitor for unauthorized token usage.
Response and Mitigation
Following the discovery of the breach, the affected organization revoked all compromised credentials and initiated a comprehensive security review. Standard incident response procedures were enacted to contain the threat and assess the scope of any data loss. Security firms tracking UNC6426 have published indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) to help other organizations defend against similar attacks.
The primary recommended mitigation is the immediate rotation of any credentials that could have been exposed during the 2023 nx package compromise. Organizations are also advised to enforce mandatory multi-factor authentication (MFA) on all cloud accounts, strictly apply the principle of least privilege for IAM roles, and implement continuous monitoring for anomalous activity in their development and cloud environments.
Looking ahead, security analysts expect threat actors to continue exploiting credentials obtained from past software supply chain attacks. The cybersecurity community anticipates increased scrutiny on open-source package maintenance and more widespread adoption of software bills of materials (SBOMs) to improve transparency. Official advisories from cloud providers and software repositories are likely to reiterate best practices for credential hardening in the coming weeks.
Source: Multiple cybersecurity research reports
