Nx package committed to cloud administrative control in 72 hours

In August 2025 a gap in the software supply chain again showed that the weakest link may be in the developer's workflow. A committed version of the nx package published in npm included a malicious post-installation script that ended up being the entry door for an attack that climbed into the cloud to become total administrative control in less than three days.

The initial mechanism was not sophisticated in its concept: the exploitation of a GitHub Actions workflow based onpull _ request _ target, a kind of attack that the community knows as Pwn Request. Research on this type of abuse and how it affects repositories and workflows can be consulted in technical analyses such as Praetorian, Endor Labs and SonarSource. This type of flow allows an actor with access to an extraction request to obtain high privileges and draw secrets that are then reused to compromise more sensitive environments.

In this case, the threaded package included a credentials thief in the named JavaScript QUIETVAULT, whose detection can be found in malware analysis sources such as VirusTotal. The code sought environment variables, system metadata and valuable tokens - including GitHub's personal tokens (PAT) - and uploaded the information collected to a public repository. The execution vector was, paradoxically, an update fired by a development extension (Nx Console) when an employee opened his editor and allowed the post-install to run on his machine.

With the tokens in hand, the group identified by Google as UNC6426 initiated reconnaissance maneuvers within the victim's GitHub environment and used a legitimate secret extraction tool called Nord Stream to locate additional credentials, including those of a GitHub service account. From there, the attacker took advantage of the trust relationship between GitHub Actions and Amazon Web Services (the OIDC integration) to request temporary AWS STS tokens and access to roles capable of deploying infrastructure.

The key problem in the cloud was the permissiveness of a role linked to GitHub Actions that allowed CloudFormation operations with the powers to create identities and enclose policies. With that window, the attackers deployed a stack whose only objective was to create a new identity with the policy of AdministratorAccess attached. According to the analysis published by Google in its Cloud Threat Horizon Report H1 2026, this channeling allowed to move from a stolen token to full administrative permits in AWS in less than 72 hours.

With absolute administrative control, the attackers did what any malicious operator at that level could: they listed and exfiltered S3 buckets objects, finished production instances in EC2 and RDS and decrypt application keys that protected other assets. In a final phase of operational humiliation, changes in the development ecosystem coincided: they renamed internal repositories and made them public, leaving evidence of commitment and expanding the reputational and operational damage.

There is an additional layer relevant to this incident: the intervention of artificial intelligence agents as an operational tool. The thief QUETVAULT, in addition to collecting secrets, took advantage of a LLM assistant present in endpoints to locate credentials and data with instructions in natural language, which evidence a new mode of supply chain abuse where the execution of malicious actions is expressed as prompts and not as coded callbacks. Specialized signatures, such as Socket, have warned about how the attendees integrated into the developer's flow expand the attack perimeter and complicate traditional detection.

The technical recommendations emerging from the research point to measures both in the development phase and in the management of identities and accesses in the cloud. It is critical to limit post-installation scripts or run packages in isolated environments, strictly apply the principle of minor privilege in accounts and roles that interact with CI / CD, and avoid permanent privileges for tasks that do not require them, such as the creation of administrative roles. It is also appropriate to use more granular and short-lived PATs, to monitor unusual patterns in AMI activity and to strengthen monitoring to detect signs of IA agents acting on development systems.

Beyond the specific measures, the case illustrates a structural lesson: modern supply chains are a multiplier vector. A popular package with a malicious update can transform a local explosion into a large-scale intrusion if the trust relationships between tools (editors, extensions, registrations, pipelines and clouds) are not properly tied. Organizations must rethink not only cloud security policies, but how development tools are integrated and trusted in distributed environments.

For those who want to deepen the technical details and mitigations, the above-mentioned reports and analyses offer guidelines and additional context: Google's report on cloud threats mentioned above, the technical essays on Pwn Request from Praetorian and SonarSource and work on the implementation of AI agents and risks in extensions by the Socket. Monitoring on both fronts - cloud identity supply and control chain - is now an operational and governance priority for any organization that depends on third-party software and automated pipelines.