Victim organization's AWS environment hit by data theft breach
Incident
Summary
Hide ▲
Show ▼
UNC6426 breached a victim organization's AWS environment and escalated to administrator access in less than 72 hours, creating immediate risk of data theft and destructive actions. The actor abused GitHub-to-AWS OIDC trust after a stolen GitHub token opened the initial path into cloud access. The compromise expanded to S3 file exfiltration, production damage, and public exposure of internal repositories.
Related Happenings
Google Cloud Platform API key revocation testing finds minutes-long post-deletion authentication
Technical Analysis
First: 21.05.2026 23:07
Last: 21.05.2026 23:07
Sources 1
About this happening:
Testing showed **deleted Google Cloud Platform API keys** could still authenticate for **minutes after revocation**, creating a post-deletion abuse window that weakens **incident...
Google Cloud Platform API key revocation testing finds minutes-long post-deletion authentication
Technical AnalysisAbout this happening: Testing showed **deleted Google Cloud Platform API keys** could still authenticate for **minutes after revocation**, creating a post-deletion abuse window that weakens **incident...
Actions-cool/issues-helper hit by network compromise
Incident
First: 19.05.2026 08:28
Last: 19.05.2026 08:28
Sources 1
About this happening:
The **actions-cool/issues-helper** GitHub Actions supply-chain compromise let malicious tags run in **CI/CD pipelines**, causing **credential theft** and downstream account risk....
Actions-cool/issues-helper hit by network compromise
IncidentAbout this happening: The **actions-cool/issues-helper** GitHub Actions supply-chain compromise let malicious tags run in **CI/CD pipelines**, causing **credential theft** and downstream account risk....
CISA contractor GitHub repository exposed internal credentials
Data Leak
First: 18.05.2026 23:48
Last: 18.05.2026 23:48
Sources 1
About this happening:
A **CISA contractor** left a public **GitHub repository** exposing **AWS GovCloud credentials** and internal access material, creating a serious **data leak** involving sensitive...
CISA contractor GitHub repository exposed internal credentials
Data LeakAbout this happening: A **CISA contractor** left a public **GitHub repository** exposing **AWS GovCloud credentials** and internal access material, creating a serious **data leak** involving sensitive...
Latest development: 22.05.2026 19:34
On May 19, Sen. Maggie Hassan and Rep. Bennie Thompson, with Rep. Delia Ramirez co-signing Thompson’s letter, sent separate letters to CISA demanding answers about the Private-CISA GitHub leak and warning that the credential exposure raised serious concerns about CISA’s internal policies, contract support, and security culture.
Trivy environment credentials leak
Data Leak
First: 21.03.2026 19:30
Last: 21.03.2026 19:30
Sources 1
About this happening:
The **Trivy** environment credentials leak exposed stolen authentication secrets and helped enable a later compromise, raising the risk of follow-on abuse. The credentials came fr...
Trivy environment credentials leak
Data LeakAbout this happening: The **Trivy** environment credentials leak exposed stolen authentication secrets and helped enable a later compromise, raising the risk of follow-on abuse. The credentials came fr...
Aqua Security hit by data theft breach
Incident
First: 20.03.2026 19:47
Last: 20.03.2026 19:47
Sources 1
About this happening:
The **Aqua Security Trivy** incident involved a **supply-chain compromise** that delivered a **credential-stealing infostealer** through trusted releases and **GitHub Actions**. A...
Aqua Security hit by data theft breach
IncidentAbout this happening: The **Aqua Security Trivy** incident involved a **supply-chain compromise** that delivered a **credential-stealing infostealer** through trusted releases and **GitHub Actions**. A...
Latest development: 23.03.2026 10:31
TeamPCP broadened the Trivy supply-chain compromise by pushing trojanized Docker Hub images for Trivy 0.69.4, 0.69.5, and 0.69.6 on March 22, 2026, then defacing all 44 internal repositories in Aqua Security's aquasec-com GitHub organization by renaming them with the tpcp-docs- prefix, setting descriptions to "TeamPCP Owns Aqua Security," and exposing them publicly.
Timeline
-
11.03.2026 09:31 2 articles · 2mo ago
Google discloses UNC6426 AWS compromise of the victim organization
Initial DisclosureGoogle's Cloud Threat Horizons Report for H1 2026 says UNC6426 used keys stolen after the nx npm package supply-chain compromise to move from a stolen GitHub token to full AWS administrator permissions in less than 72 hours, abuse GitHub-to-AWS OpenID Connect (OIDC) trust, create a new administrator role in the victim organization's cloud environment, exfiltrate files from Amazon Web Services (AWS) Simple Storage Service (S3) buckets, perform data destruction in production cloud environments, terminate production Elastic Compute Cloud (EC2) and Relational Database Service (RDS) instances, and rename the victim's internal GitHub repositories to public /s1ngularity-repository-[randomcharacters] names.
Show sources
- UNC6426 Exploits nx npm Supply-Chain Attack to Gain AWS Admin Access in 72 Hours — thehackernews.com — 11.03.2026 09:31
- UNC6426 Exploits nx npm Supply-Chain Attack to Gain AWS Admin Access in 72 Hours — thehackernews.com — 11.03.2026 09:31