Nx npm supply chain hack weaponized to breach cloud environment

Threat operation UNC6426 achieved total compromise of an organization's AWS environment within 72 hours after harnessing keys exfiltrated during the August npm supply chain attack against open-source codebase management platform Nx, according to The Hacker News.

Obtained keys were leveraged by UNC6426 to access the organization's GitHub repository and enumerate the GitHub environment before exploiting the CI/CD pipeline to compromise the organization's AWS API keys, findings from Google's Cloud Threat Horizons Report for H1 2026 revealed. UNC6426 proceeded to generate temporary AWS Security Token Service Tokens to infiltrate the victim's AWS environment and subsequently enumerate and access S3 bucket objects, terminate production Elastic Compute Cloud and Relational Database Service instances, and decrypt application keys, before renaming and making public the organization's GitHub repositories.

Combating such a threat necessitates the implementation of package managers that prohibit postinstall scripts or sandboxing tools and track suspicious IAM activity, as well as robust controls against shadow AI.