Zero to AWS Admin in 72 Hours
If you think your CI/CD pipeline is “internal,” UNC6426 would like a message in your logs to prove you wrong.
A new report shows exactly how threat actor UNC6426 used a single stolen GitHub token from a supply-chain hit (the nx npm package) to become an AWS Administrator in just three days.
So What?
This wasn’t some sophisticated zero-day. It was an identity heist.
The attacker grabbed a developer’s Personal Access Token (PAT).
They used a tool called Nord Stream to crawl the environment for secrets.
They abused the OIDC (OpenID Connect) trust between GitHub and AWS to mint themselves a brand-new Administrator role.
Most teams switch to OIDC because it’s “more secure” than hardcoded keys. But if your GitHub environment gets compromised, that trust becomes a high-speed rail straight into your production cloud.
The Defender’s Playbook
Audit OIDC Claims: In AWS, your trust policies shouldn’t just “Trust GitHub.” They need to be scoped to specific repositories and specific environments. If it’s wide open, you’re asking for it.
Nuke Long-Lived PATs: Switch to GitHub Fine-Grained tokens with short expiration dates. A token that lasts a year is just a ticking time bomb waiting for a leaked
.envfile.Rotate Secrets: If you use
nxor similar monorepo tools, assume your current secrets are burnt. Rotate them now.
The Takeaway
Identity is the new perimeter, and your CI/CD pipeline is an unlocked side door.
UNC6426 didn’t need to hack AWS; they just needed one developer to lose one token. The lesson is simple: Trust is a liability. If you haven’t hardened your GitHub-to-AWS OIDC configuration, you’re one bad npm install away from losing the keys to the kingdom.
- Alex
P.S. - Seriously, go check your OIDC trust policies. “AdministratorAccess” should not be the default for a GitHub Action.