In March 2026, UNC6426 demonstrated a sophisticated attack chain converting a stolen developer GitHub Personal Access Token (from the 2025 nx npm supply chain compromise) into full AWS administrator access within 72 hours. The threat actor used the Nord Stream tool to extract secrets from CI/CD environments, then abused the GitHub-to-AWS OIDC trust relationship to generate temporary AWS STS tokens for the victim’s ‘Actions-CloudFormation’ IAM role. UNC6426 then created a new IAM role with AdministratorAccess attached. With full AWS admin access, the attacker enumerated and accessed S3 buckets, terminated production EC2 and RDS instances, decrypted application keys, renamed all victim GitHub repositories to ‘/s1ngularity-repository-[randomchars]’ and made them public. The incident illustrates how OIDC trust chain abuse can amplify the impact of npm supply chain credential theft far beyond the original package compromise.