Victim organization's AWS environment hit by data theft breach
Incident
Summary
Hide ▲
Show ▼
UNC6426 breached a victim organization's AWS environment and escalated to administrator access in less than 72 hours, creating immediate risk of data theft and destructive actions. The actor abused GitHub-to-AWS OIDC trust after a stolen GitHub token opened the initial path into cloud access. The compromise expanded to S3 file exfiltration, production damage, and public exposure of internal repositories.
Related Happenings
Google Cloud Vertex AI SDK Python predictable bucket squatting security flaw
Vulnerability
H score1
First: 16.06.2026 22:05
Last: 16.06.2026 22:05
Sources 1
About this happening:
**Google Cloud Vertex AI SDK for Python** had a **predictable temporary bucket** flaw that let an attacker hijack model uploads and reach **code execution** inside Google's servin...
Google Cloud Vertex AI SDK Python predictable bucket squatting security flaw
VulnerabilityAbout this happening: **Google Cloud Vertex AI SDK for Python** had a **predictable temporary bucket** flaw that let an attacker hijack model uploads and reach **code execution** inside Google's servin...
Google Cloud Platform API key revocation testing finds minutes-long post-deletion authentication
Technical Analysis
H score16
First: 21.05.2026 23:07
Last: 21.05.2026 23:07
Sources 1
About this happening:
Testing showed **deleted Google Cloud Platform API keys** could still authenticate for **minutes after revocation**, creating a post-deletion abuse window that weakens **incident...
Google Cloud Platform API key revocation testing finds minutes-long post-deletion authentication
Technical AnalysisAbout this happening: Testing showed **deleted Google Cloud Platform API keys** could still authenticate for **minutes after revocation**, creating a post-deletion abuse window that weakens **incident...
Actions-cool/issues-helper hit by network compromise
Incident
H score45
First: 19.05.2026 08:28
Last: 19.05.2026 08:28
Sources 1
About this happening:
The **actions-cool/issues-helper** GitHub Actions supply-chain compromise let malicious tags run in **CI/CD pipelines**, causing **credential theft** and downstream account risk....
Actions-cool/issues-helper hit by network compromise
IncidentAbout this happening: The **actions-cool/issues-helper** GitHub Actions supply-chain compromise let malicious tags run in **CI/CD pipelines**, causing **credential theft** and downstream account risk....
CISA contractor GitHub repository exposed internal credentials
Data Leak
H score28
First: 18.05.2026 23:48
Last: 18.05.2026 23:48
Sources 1
About this happening:
A **CISA contractor** left a public **GitHub repository** exposing **AWS GovCloud credentials** and internal access material, creating a serious **data leak** involving sensitive...
CISA contractor GitHub repository exposed internal credentials
Data LeakAbout this happening: A **CISA contractor** left a public **GitHub repository** exposing **AWS GovCloud credentials** and internal access material, creating a serious **data leak** involving sensitive...
Latest development: 22.05.2026 19:34
On May 19, Sen. Maggie Hassan and Rep. Bennie Thompson, with Rep. Delia Ramirez co-signing Thompson’s letter, sent separate letters to CISA demanding answers about the Private-CISA GitHub leak and warning that the credential exposure raised serious concerns about CISA’s internal policies, contract support, and security culture.
Trivy environment credentials leak
Data Leak
H score37
First: 21.03.2026 19:30
Last: 21.03.2026 19:30
Sources 1
About this happening:
The **Trivy** environment credentials leak exposed stolen authentication secrets and helped enable a later compromise, raising the risk of follow-on abuse. The credentials came fr...
Trivy environment credentials leak
Data LeakAbout this happening: The **Trivy** environment credentials leak exposed stolen authentication secrets and helped enable a later compromise, raising the risk of follow-on abuse. The credentials came fr...
Timeline
-
11.03.2026 09:31 2 articles · 4mo ago
Google discloses UNC6426 AWS compromise of the victim organization
Initial DisclosureGoogle's Cloud Threat Horizons Report for H1 2026 says UNC6426 used keys stolen after the nx npm package supply-chain compromise to move from a stolen GitHub token to full AWS administrator permissions in less than 72 hours, abuse GitHub-to-AWS OpenID Connect (OIDC) trust, create a new administrator role in the victim organization's cloud environment, exfiltrate files from Amazon Web Services (AWS) Simple Storage Service (S3) buckets, perform data destruction in production cloud environments, terminate production Elastic Compute Cloud (EC2) and Relational Database Service (RDS) instances, and rename the victim's internal GitHub repositories to public /s1ngularity-repository-[randomcharacters] names.
Show sources
- UNC6426 Exploits nx npm Supply-Chain Attack to Gain AWS Admin Access in 72 Hours — thehackernews.com — 11.03.2026 09:31
- UNC6426 Exploits nx npm Supply-Chain Attack to Gain AWS Admin Access in 72 Hours — thehackernews.com — 11.03.2026 09:31