Eight types of dangerous NHI credentials. One framework to find, classify, and eliminate them all. The complete NHI Kill Chain series summary with Cyber Kill Chain and MITRE ATT&CK mapping.
On April 22, 2026, the official @bitwarden/cli@2026.4.0 npm package was malicious for ~90 minutes. A self-propagating worm exfiltrated AWS, Azure, GCP, GitHub, npm, SSH, and AI tooling credentials from CI runners. Vaults stayed safe. CI tokens did not. Timeline, NHI kill-chain mapping, and a 10-minute checklist to know whether you were affected.
Vercel confirmed an unauthorized-access incident on April 19, 2026 that started in a third-party AI tool, pivoted through Google Workspace, and reached environment variables in a subset of customer projects. The exposure surface is every env var that was not marked sensitive. Here is what is confirmed, what is noise, and what to rotate first.
A new CISO ordered a full NHI audit. The result: 3,400 active credentials, 60% with no identifiable owner. Can't revoke them, can't rotate them, can't assign responsibility.
A PostgreSQL master password drifted across seven platform types — from Secrets Manager to GitHub, Jenkins, Docker Hub, Jira, Confluence, and Slack. Each security tool saw its own silo. None saw the full picture.
An organization's core credentials sat in public repositories for years. The security industry's answer: "Out of scope."
Secret scanning alert: Resolved. Credential status: Active. Deleting a secret from code is not the same as revoking it. Inside the Zombie Key kill chain.
A single Stripe API key was copied to 14 locations over three years. When a QA repo went public, the key was exposed — and revoking it meant breaking 14 services simultaneously.
A single AWS key, never rotated for 3 years, spread across 7 systems. When a supply chain attack hit a Terraform CI plugin, the key gave attackers full infrastructure access. Inside the Aged Key kill chain and how to defend against long-lived credentials.
A single production outage left credentials in six non-code platforms — Slack, Jira, Confluence, Sentry, Datadog, and PagerDuty. Your secret scanner found none of them. Inside the Shadow Key kill chain.
A departed developer's AWS key stayed active for 92 days. When an infostealer hit their personal laptop, the key was sold on the dark web. Inside the Ghost Key kill chain and how to defend against orphaned credentials.
Aqua Security's Trivy was compromised by TeamPCP, cascading into LiteLLM. A 7-phase Cyber Kill Chain and MITRE ATT&CK analysis of how incomplete credential rotation turned a single breach into a five-ecosystem catastrophe.
A .env file pushed to a public GitHub repo is found by attacker bots in 4 minutes. We map the full kill chain — from credential exposure to infrastructure compromise and show how to detect and respond before the damage is done.
A prompt injection in a GitHub Issue title hijacked Cline's AI triage bot, stole npm tokens, and silently installed a rogue AI agent on 4,000 developer machines. The era of AI-installing-AI supply chain attacks has arrived.
The 2025 Cybersecurity Landscape: Download the Full Report
OWASP NHI5:2025 - Overprivileged NHI In-Depth Analysis and Management
Beyond Lifecycle Management: Why Continuous Secret Detection is Non-Negotiable for NHI Security
OWASP NHI4:2025 Insecure Authentication Deep Dive Introduction: The Era of Non-Human Identities Beyond Humans
Model Context Protocol (MCP) and Agent-to-Agent (A2A) communication are redrawing the NHI security boundary. What changes when AI agents become first-class identities in your infrastructure.
Human vs. Non-Human Identity: The Key Differentiators
Wake-Up Call: tj-actions/changed-files Compromised NHIs
Behind the Code: Best Practices for Identifying Hidden Secrets
OWASP NHI1:2025 Improper Offboarding- A Comprehensive Overview
Stop the Sprawl: Introducing Cremit’s AWS S3 Non-Human Identity Detection
Build vs. Buy: Making the Right Choice for Secrets Detection
Bybit Hack Analysis: Strengthening Crypto Exchange Security
OWASP NHI2:2025 Secret Leakage – Understanding and Mitigating the Risks
OWASP NHI3:2025 - Vulnerable Third-Party NHI
6 Essential Practices for Protecting Non-Human Identities
Introducing Probe! Cremit's New Detection Engine
OWASP NHI Top 10 names the machine-credential risks most teams still do not track. Here is what each threat means, and how each maps to real controls you can deploy.
Customer Interview: Insights from ENlighten
Secret Sprawl and Non-Human Identities: The Growing Security Challenge