72 Hours: The nx Incident
In March 2026, threat group UNC6426 exploited a compromised nx npm package to steal a developer's GitHub token. From that single credential, they pivoted through the organization's GitHub Actions workflows, abused OIDC trust relationships, and achieved full AWS administrator access. Total elapsed time: 72 hours.
This is the CI/CD kill chain. It starts with a compromised package. It ends with infrastructure takeover. Every step in between exploits the automation that modern web development depends on.
The Kill Chain, Step by Step
Step 1: Compromised npm package executes malicious code during install — either via a preinstall hook or a 157-byte binding.gyp file that triggers native module compilation. This bypasses most install-script security checks.
Step 2: The malicious code harvests environment variables. On a CI/CD runner — the primary target — it captures everything the pipeline has access to: GitHub tokens, npm tokens, cloud credentials, SSH keys.
Step 3: Stolen GitHub tokens access repositories, read secrets stored in GitHub Actions, and modify workflow files. The attacker is inside the deployment pipeline.
Step 4: GitHub Actions workflows often have OIDC trust relationships with cloud providers — AWS, GCP, Azure. These are designed to let pipelines deploy without long-lived credentials. The attacker abuses them to assume cloud IAM roles.
Step 5: Cloud admin. Data exfiltration, crypto mining, ransomware, persistent backdoors — the playbook is wide open.
Why Modern Frameworks Are Uniquely Exposed
WordPress sites typically deploy by uploading PHP files to a shared host or running a one-click installer. There is no CI/CD pipeline. No GitHub Actions workflow. No OIDC trust relationship with a cloud provider. The deployment model is primitive — and that primitiveness is, in this specific context, a security advantage.
Modern framework deployments — Next.js on Vercel, Astro on Netlify, React apps on AWS — run through automated pipelines. npm install runs on every build. GitHub Actions orchestrate the deployment. Cloud credentials flow through the pipeline. Every one of these conveniences is a link in the kill chain.
The Infrastructure Your Framework Requires
Framework choice determines infrastructure requirements. Infrastructure requirements determine attack surface. A Hugo site can be built locally and uploaded as static files — zero pipeline exposure. A Next.js application typically requires npm install in CI, environment secrets for API keys, and cloud deployment automation. The framework's power comes with infrastructure that must be defended.
This is not an argument against CI/CD — automated deployment is essential. It is an argument that the pipeline is a first-class security boundary. Most organizations secure their production servers. Far fewer secure their build pipelines with the same rigor. In 2026, the build pipeline is where the breach starts.
