UNC6426 Escalates NPM Supply Chain To AWS Administrator

UNC6426 operators leveraged a malicious postinstall (QUIETVAULT) injected into the Nx NPM framework to harvest developer GitHub personal access tokens and exfiltrate them to a public repo, within days achieving full AWS administrator privileges. Attackers used stolen PATs to compromise GitHub organizations, abused OIDC federation via NORDSTREAM to mint STS credentials, and created an AdministratorAccess IAM role.
Key Points
- 1Harvests developer PATs via malicious NPM postinstall QUIETVAULT, exfiltrating secrets to a public repository
- 2Exploits OIDC federation with NORDSTREAM to mint STS credentials and escalate CI/CD identity privileges
- 3Demands strict scoping of CI/CD roles, endpoint monitoring, and secrets protections to prevent full cloud takeover
Scoring Rationale
Rapid, practical threat showing CI/CD-to-cloud escalation in under 72 hours, limited by single-source reporting and moderate novelty.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems

