UNC6426 (Threat Actor)

SYMBOL	COMMON_NAME	aka. SYNONYMS

UNC6426 (Back to overview)

UNC6426 exploited a supply chain compromise of the nx npm package to steal a developer's GitHub Personal Access Token and gain access to a victim's cloud environment. They abused the GitHub-to-AWS OpenID Connect trust to create a new administrator role, leveraging overly permissive permissions associated with the compromised GitHub-Actions-CloudFormation role. Using the legitimate open-source tool Nord Stream, UNC6426 conducted reconnaissance and extracted secrets from CI/CD environments, leading to the exfiltration of files from AWS S3 buckets and data destruction. The actor escalated to full AWS administrator permissions in under 72 hours.

Associated Families

There are currently no families associated with this actor.

References

2026-02-25 ⋅ Google ⋅ 0verfl0w_, Anton Chuvakin, Bob Mechler, Crystal Lister, Eduardo Mattos, Google, Jason Bisson, Joachim Metz, John Stone, Jorge Blanco, Keith Lunden, Lia Wertheimer, Matthew Siuda, Michael Robinson, Muhammad Muneer, Noah McDonald, Ollie Green, Seth Rosenblatt
Cloud Threat Horizons Report: H1 2026
UNC6426

Credits: MISP Project