Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
1 malware family

UNC6426

Also known asUNC6426

UNC6426 is a threat actor tracked by Google that conducted a follow-on intrusion using credentials stolen during the August 2025 supply-chain compromise of the nx npm package. Google documented the activity in its Cloud Threat Horizons Report for H1 2026. The actor used stolen GitHub tokens, including a developer GitHub token, to breach a victim AWS environment within 72 hours. Reported activity included reconnaissance in the victim’s GitHub environment, abuse of a GitHub-to-AWS OpenID Connect trust relationship, generation of AWS STS tokens, deployment of a CloudFormation stack, creation of a new IAM role with AdministratorAccess, exfiltration of files from AWS S3 buckets, and destructive actions in production cloud environments, including termination of production EC2 and RDS resources. The reporting also states that UNC6426 used the open-source tool Nord Stream to extract CI/CD secrets and that, in the final stage of the intrusion, internal GitHub repositories were renamed to s1ngularity-repository variants and made public. UNC6426 is directly associated in the provided content with exploitation of credentials stolen from the nx compromise; no additional aliases or nation-state attribution are provided in the content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

16 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

10 of 15 tactics27 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1592
Gather Victim Host Information
T1592.004
Client Configurations
TA0001
Initial Access
2 techniques
T1078×2
Valid Accounts
T1078.004
Cloud Accounts
T1195×2
Supply Chain Compromise
T1195.001
Compromise Software Dependencies and Development Tools
T1195.003
Compromise Hardware Supply Chain
TA0003
Persistence
4 techniques
T1078×2
Valid Accounts
T1078.004
Cloud Accounts
T1098
Account Manipulation
T1136
Create Account
T1136.003
Cloud Account
T1556
Modify Authentication Process
TA0004
Privilege Escalation
3 techniques
T1078×2
Valid Accounts
T1078.004
Cloud Accounts
T1098
Account Manipulation
T1548
Abuse Elevation Control Mechanism
TA0005
Stealth
1 technique
T1078×2
Valid Accounts
T1078.004
Cloud Accounts
TA0112
Defense Impairment
1 technique
T1556
Modify Authentication Process
TA0006
Credential Access
3 techniques
T1528×2
Steal Application Access Token
T1555
Credentials from Password Stores
T1556
Modify Authentication Process
TA0007
Discovery
1 technique
T1526
Cloud Service Discovery
TA0010
Exfiltration
1 technique
T1567
Exfiltration Over Web Service
T1567.002×2
Exfiltration to Cloud Storage
TA0040
Impact
1 technique
T1485×2
Data Destruction
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
QUIETVAULTThe packages were found to embed a postinstall script that, in turn, launched a JavaScript credential stealer named QUIETVAULT to siphon environment variables, system information, and valuable tokens, including GitHub Personal Access Tokens (PATs), by weaponizing a Large Language Model (LLM) tool already installed on the endpoint to perform the search.1Mar 11, 2026
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
scworldNews
May 13, 2026
Trusted by default: The npm attack pattern security teams miss | perspective | SC Media

Follow-on operation that leveraged stolen GitHub tokens from the NX compromise to breach a victim AWS environment rapidly.

Read more
the hacker newsNews
Mar 11, 2026
UNC6426 Exploits nx npm Supply-Chain Attack to Gain AWS Admin Access in 72 Hours

Leveraged credentials stolen via the trojanized nx npm package supply-chain compromise to pivot from GitHub into AWS by abusing GitHub-to-AWS OIDC trust, creating new IAM administrator roles, exfiltrating S3 data, and performing destructive actions (terminating EC2/RDS, renaming and publishing internal GitHub repos).

Read more
the hacker newsNews
Mar 11, 2026
DevSecOps - Latest News, Reports & Analysis | The Hacker News

Exploited access obtained from the nx npm supply-chain compromise to steal a developer's GitHub token, abuse GitHub-to-AWS OIDC trust, create a new AWS administrator role, exfiltrate data from S3 buckets, and perform destructive actions in the victim's production cloud environment.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping16

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.