Title: Swift Cyberattack Highlights Vulnerabilities in CI/CD-to-Cloud Trust Model
In a recent incident that underscores the fragility of trust within Continuous Integration/Continuous Deployment (CI/CD) environments, hackers identified as UNC6426 managed to exploit a routine NPM (Node Package Manager) update to gain full AWS administrator access. This alarming breach transpired in less than 72 hours, reflecting the urgent need for organizations to critically evaluate and tighten their security protocols surrounding developer operations.
The event began when a developer at the compromised organization updated or installed a malicious package via a code editor plugin. Unbeknownst to the user, the post-install script executed immediately on their workstation, serving as the initial entry point for the attackers. This script initiated a process known as QUIETVAULT, which systematically scanned the developer’s system for sensitive information such as environment variables, configuration files, and primarily, GitHub Personal Access Tokens (PATs). This stolen data was then exfiltrated to a public GitHub repository under the attackers’ control.
Consequently, a seemingly mundane developer task—updating an ostensibly trusted package—culminated in the immediate exposure of high-value credentials without any direct interaction taking place between the affected developer and the cloud infrastructure. Within just one day after the initial malicious activity, the unrecognized threat actors leveraged the stolen PAT to make unauthorized requests within the victim’s GitHub organization, thereby establishing a foothold within the software supply chain, rather than merely breaching the cloud perimeter.
According to findings from incident response teams, this security breach stemmed from an upstream compromise that injected malicious code, designated as QUIETVAULT, into the widely-used Nx NPM framework. Notably, the malware’s early use of local large language model tooling enabled it to expedite the discovery of sensitive files, essentially turning the developer’s own AI-enabled environment into an unwitting assistant in the credential-harvesting scheme.
From GitHub to AWS in Just Three Days
On the second day, a financially motivated group—identified as UNC6426—took control of the breach. This group notably focused on exploiting CI/CD identities, demonstrating a significant evolution in threat actor tactics. According to a report that tracked threat vectors, the use of third-party software vulnerabilities as entry points dramatically rose to 44.5%, a significant increase from just 2.9% recorded in the first half of 2025.
By the third day of this insidious operation, UNC6426 abused the legitimate OpenID Connect (OIDC) trust that exists between GitHub Actions and AWS, utilizing a tool named NORDSTREAM. This enabled them to mint temporary AWS Security Token Service (STS) credentials for a role entitled GitHub-Actions-CloudFormation, astonishingly without necessitating any static AWS keys. Instead, the attack relied entirely on the existing identity federation which had been established to facilitate passwordless deployments.
Employing NORDSTREAM, the attackers systematically cataloged secrets and deployed malicious pipelines within GitHub, ultimately extracting credentials from a GitHub service account woven into the victim’s CI/CD workflows. Unfortunately, the GitHub-Actions-CloudFormation role offered excessive privileges for a CI/CD identity. UNC6426 adeptly exploited this weakness to deploy a CloudFormation stack capable of creating and modifying IAM (Identity and Access Management) entities. They subsequently generated a new IAM role, attaching the AWS-managed AdministratorAccess policy.
In less than 72 hours from the initial NPM-triggered event, the attackers successfully escalated their access from a single stolen GitHub token to a full-fledged AWS administrator role within the production environment of the victim organization.
The subsequent phase of the attack saw UNC6426 engaging in data theft and disruptive actions. They meticulously accessed and enumerated various objects across multiple S3 buckets, exfiltrating sensitive files while simultaneously terminating critical Elastic Compute Cloud (EC2) and Relational Database Service (RDS) instances. This tactic was effectively employed to significantly impair operations within the organization.
Impact: From Data Theft to Cloud Destruction
The hackers escalated their operations further by decrypting confidential application keys, broadening their scope for compromising additional services reliant on these secrets. To intensify chaos and disruption, UNC6426 altered the names of internal GitHub repositories to versions of "s1ngularity-repository-…" and made them publicly accessible, amplifying the operational fallout as well as the reputational damage for the affected organization.
The compromised entity detected the malicious activities roughly three days post-initial breach and acted swiftly to revoke access, eradicate the rogue IAM role, and rectify the CI/CD configuration. To mitigate the risks associated with modern rapid breaches, organizations are advised to establish integrated response capabilities that operate independently of manual interventions.
This incident starkly demonstrates that poorly scoped CI/CD-linked identities and OIDC trust can convert one compromised developer machine into a gateway for a full-scale cloud takeover. Moreover, it reflects an emerging trend among attackers who are increasingly intertwining supply chain compromises, developer endpoints, CI/CD pipelines, and federated cloud roles into a continuous kill chain capable of completion in mere days rather than weeks.
As organizations continue to navigate these cybersecurity challenges, the imperative for robust security measures and vigilant monitoring has never been clearer. In an era where the boundaries between development and deployment continue to evolve, safeguarding sensitive data and maintaining operational integrity remain paramount.