Nx NPM Supply Chain Exploited

Your AI Assistant Just Handed Over the AWS Keys

You likely trust your build tools, rely on your npm packages, and definitely trust that new AI coding assistant you just installed. However, a threat actor known as UNC6426 just proved that a single stolen developer token can lead to full AWS administrator access in exactly seventy-two hours.

We are not talking about a theoretical risk; this is a devastating software supply chain attack actively weaponizing the very tools we use to write code faster. The attackers utilized the compromised Nx npm package to escalate privileges from a local environment to full cloud dominance. Consequently, they granted themselves the power to delete databases, shut down servers, and wipe a company off the digital map. If you are not conducting regular security evaluations, you are a sitting duck in this evolving threat landscape.

Technical Threat Analysis: Weaponizing AI and Abusing Trust

This campaign, often referred to as s1ngularity, represents a dangerous evolution in supply chain attacks by targeting novel vectors like local AI agents and cloud trust relationships.

The AI Traitor in Your Terminal

The attackers are no longer just looking for your password; instead, they are hunting for your AI assistants.

  • Weaponizing the AI: According to the technical analysis by Wiz, this malware specifically targets AI CLI tools already installed on developer machines, such as Claude Code, Gemini CLI, and Amazon Q.
  • Forcing Secrets Spills: The malware uses dangerous flags like --yolo or --trust-all-tools to force these AI assistants to bypass security boundaries. Specifically, it tricks the AI agents into scanning local files for secrets and then immediately ships that data off to the attacker.
  • Massive Impact: This was not a narrow targeted strike; rather, the “s1ngularity” malware impacted over 2,000 GitHub accounts and 7,200 repositories. The attackers exfiltrated stolen data by creating public repositories named s1ngularity-repository directly under the victims’ own accounts.

The “Pwn Request” Vector

The entire infection chain started with a clever exploit of the foundational CI/CD infrastructure.

  • The Compromise: As detailed by StepSecurity, the attackers exploited a vulnerable pull_request_target workflow in the Nx GitHub repository.
  • Token Theft: This “Pwn Request” allowed them to steal a GITHUB_TOKEN possessing write permissions. Subsequently, they used this token to compromise the npm publishing credentials, thereby poisoning the legitimate Nx package.
  • Petty Persistence: Highlighting the attacker’s audacity, the malware appended sudo shutdown -h 0 to the user’s ~/.bashrc file. Because of this, the developer’s computer would shut down every single time they opened a new terminal session, which severely disrupted remediation efforts.

From GitHub to Total Cloud Demolition

Once the attackers secured a foothold in the developer’s environment, they bypassed the local machine and targeted the “Crown Jewels” in the cloud.

  • Abusing OIDC Trust: The Google Cloud Threat Horizons Report explains that the attackers exploited the OpenID Connect (OIDC) trust relationship between GitHub and AWS.
  • Privilege Escalation: By leveraging “overly permissive” GitHub Actions roles, the attacker deployed a new CloudFormation stack. This stack attached the AdministratorAccess policy to the attacker’s IAM principal, which granted them total control over the environment.
  • Data Destruction: This was not merely a data heist; rather, it was a demolition. The Hacker News reports that the actor actually started destroying production infrastructure, terminating running EC2 instances and RDS databases once they held the keys.

Mitigation and Urgent Action Required

The lightning-fast escalation observed in this attack mandates that organizations immediately review their supply chain and cloud security postures.

Immediate Action: Audit Your Cloud Trust Roles

As a Fractional CTO, I see these patterns constantly: organizations grant excessive permissions to automation roles “just to make it work.” You must correct this immediately to prevent lateral movement.

  1. Audit OIDC Roles: Review every IAM role trusted by GitHub (or any CI/CD provider via OIDC). Ensure these roles follow the principle of least privilege. For instance, a role used to deploy a specific lambda function should never possess AdministratorAccess.
  2. Use IAM Conditions: Utilize IAM conditions in your trust policies to restrict role assumption only to specific GitHub repositories, branches, or environments. Furthermore, do not allow any repository in your organization to assume a high-privilege role by default.

Broader Defensive Strategies

  1. Pin Dependencies: Where possible, pin npm dependencies to specific versions or use lockfiles strictly. Moreover, treat any unexpected update to critical build tools with extreme suspicion.
  2. Monitor AI Tool Usage: Be aware of which AI CLI tools your developers are using and audit their configuration. For security reasons, disable dangerous flags like --yolo or --trust-all-tools via organizational policy if the tools support it.
  3. Threat Hunting: CISA issued an alert regarding this broader campaign, which they call Shai-Hulud. Hunt for the “petty persistence” indicators in .bashrc and review GitHub audit logs for unexpected repository creation or configuration changes. Be particularly wary of new campaigns like Sandworm_Mode, which include “dead man’s switches” that wipe home directories upon C2 loss.

Final Thoughts

The vulnerability exposed by the UNC6426 attack proves we can no longer trust our development tools blindly, especially when they are “popular” or “AI-powered.” Security is a distributed problem, and the integrity of your network relies on every device and every dependency. If you are building software, you must build security into the core, rather than bolting it on later.

Is your organization prepared for a lightning-fast cloud takeover, or do you need expert guidance on hardening your supply chain and CI/CD pipelines?

We can help! Schedule a security consultation with us today at https://StartupHakkSecurity.com.

Related Articles

Conceptual cybersecurity image illustrating an unstable house of cards made of code panels on an AI foundation, with sensitive data leaking and a hand with a magnifying glass examining a broken lock.
AINews
The Un-Lovable Security Crisis
Conceptual cybersecurity illustration showing a hacker sitting at a multi-monitor setup with code and data on screens. Screens show 'SPOOFING', 'CREDENTIAL THEFT', and a 'MAP' with red connections. Below are 'PRIVILEGE ESCALATION' and red connections. To the right, a centralized system labelled 'SECURE' on a screen is cracked and broken. Stacked below the screen are 'Microsoft Defender' and 'SharePoint Server' layers, also broken. Red data tentacles and chains are breaking through from the hacker's side. An isolated red entity labeled 'DEFENDER' with chains around it and a red figure with a crowbar is also visible. Text labels like 'RedSun', 'BlueHammer', 'UNPATCHED', 'CVE-2026-33825', and 'CVE-2026-32201' are dispersed in the chaotic red area. The overall style is futuristic and high-tech with a focus on a blue, red, grey, and black color palette.
Security Review
Microsoft Defender and SharePoint Vulnerabilities
Conceptual cybersecurity image showing two analysts in a security operations center investigating a malicious PDF document attack. A tablet displays a PDF with embedded red JavaScript code (Prototype Pollution) triggering a 'Zero-Day' exploit that leads to 'Lateral Movement' into a network.
Penetration Testing
Adobe Acrobat Zero-Day Exploited in the Wild