Find notable cyber news and cases, enriched with sources, timelines, and signals.

Victim organization's AWS environment hit by data theft breach

Incident
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

UNC6426 breached a victim organization's AWS environment and escalated to administrator access in less than 72 hours, creating immediate risk of data theft and destructive actions. The actor abused GitHub-to-AWS OIDC trust after a stolen GitHub token opened the initial path into cloud access. The compromise expanded to S3 file exfiltration, production damage, and public exposure of internal repositories.

Related Happenings

Google Cloud Vertex AI SDK Python predictable bucket squatting security flaw

Vulnerability
H score1 First: 16.06.2026 22:05 Last: 16.06.2026 22:05 Sources 1

About this happening: **Google Cloud Vertex AI SDK for Python** had a **predictable temporary bucket** flaw that let an attacker hijack model uploads and reach **code execution** inside Google's servin...

Google Cloud Platform API key revocation testing finds minutes-long post-deletion authentication

Technical Analysis
H score16 First: 21.05.2026 23:07 Last: 21.05.2026 23:07 Sources 1

About this happening: Testing showed **deleted Google Cloud Platform API keys** could still authenticate for **minutes after revocation**, creating a post-deletion abuse window that weakens **incident...

Actions-cool/issues-helper hit by network compromise

Incident
H score45 First: 19.05.2026 08:28 Last: 19.05.2026 08:28 Sources 1

About this happening: The **actions-cool/issues-helper** GitHub Actions supply-chain compromise let malicious tags run in **CI/CD pipelines**, causing **credential theft** and downstream account risk....

CISA contractor GitHub repository exposed internal credentials

Data Leak
H score28 First: 18.05.2026 23:48 Last: 18.05.2026 23:48 Sources 1

About this happening: A **CISA contractor** left a public **GitHub repository** exposing **AWS GovCloud credentials** and internal access material, creating a serious **data leak** involving sensitive...

Latest development: 22.05.2026 19:34

On May 19, Sen. Maggie Hassan and Rep. Bennie Thompson, with Rep. Delia Ramirez co-signing Thompson’s letter, sent separate letters to CISA demanding answers about the Private-CISA GitHub leak and warning that the credential exposure raised serious concerns about CISA’s internal policies, contract support, and security culture.

Trivy environment credentials leak

Data Leak
H score37 First: 21.03.2026 19:30 Last: 21.03.2026 19:30 Sources 1

About this happening: The **Trivy** environment credentials leak exposed stolen authentication secrets and helped enable a later compromise, raising the risk of follow-on abuse. The credentials came fr...

Timeline

  1. 11.03.2026 09:31 2 articles · 4mo ago

    Google discloses UNC6426 AWS compromise of the victim organization

    Initial Disclosure

    Google's Cloud Threat Horizons Report for H1 2026 says UNC6426 used keys stolen after the nx npm package supply-chain compromise to move from a stolen GitHub token to full AWS administrator permissions in less than 72 hours, abuse GitHub-to-AWS OpenID Connect (OIDC) trust, create a new administrator role in the victim organization's cloud environment, exfiltrate files from Amazon Web Services (AWS) Simple Storage Service (S3) buckets, perform data destruction in production cloud environments, terminate production Elastic Compute Cloud (EC2) and Relational Database Service (RDS) instances, and rename the victim's internal GitHub repositories to public /s1ngularity-repository-[randomcharacters] names.

    Show sources