A supply-chain pattern where stolen credentials, not just malicious code, drive expansion into new environments. The attacker reuses tokens, keys, and secrets to move across ecosystems, which makes identity controls as important as package scanning.
Expanded Definition
Credential-centric propagation describes a supply-chain attack pattern in which stolen or exposed non-human credentials become the payload for expansion. The attacker does not need to rely only on malware persistence or exploit chaining; reused API keys, tokens, certificates, and cloud secrets provide direct authenticated access into adjacent environments. This is why NHI security treats identity as part of the supply chain, not just an access layer.
In practice, the term covers lateral movement across build systems, CI/CD runners, cloud accounts, SaaS tenants, and AI tool integrations when the same secret can be replayed elsewhere. Guidance varies across vendors on how broad the label should be, but the operational meaning is consistent: once a credential is valid in more than one place, compromise can propagate faster than code scanning can react. The OWASP Non-Human Identity Top 10 and NIST SP 800-63 Digital Identity Guidelines help frame why authenticator strength, lifecycle control, and replay resistance matter even when the identity is a workload, service, or agent.
The most common misapplication is treating credential reuse as a secret-management issue alone, which occurs when teams rotate one leaked secret but leave the same trust pattern intact across environments.
Examples and Use Cases
Implementing defences against credential-centric propagation rigorously often introduces friction in automation, requiring organisations to weigh fast machine-to-machine access against tighter issuance, rotation, and audience scoping.
- A GitHub Action leaks a cloud token, and the attacker uses that token to query storage, deploy new workloads, and harvest more secrets from the CI environment.
- A stolen service account key from one Kubernetes cluster is accepted by a second cluster because both trust the same signing path or shared secret store.
- An AI agent integration exposes an API token, allowing the attacker to pivot into downstream SaaS tools, ticketing systems, or data platforms with the agent’s permissions.
- A compromised build runner reuses the same secrets that developers also use in staging, letting the attacker move from source control into test and pre-production systems.
- Secret sprawl in a hybrid estate allows one exposed token to cross cloud boundaries, which is why NHIMG highlights the Guide to the Secret Sprawl Challenge and the 2024 Non-Human Identity Security Report reports that 35.6% of organisations struggle most with consistent access across hybrid and multi-cloud environments.
For supply-chain abuse examples, the Reviewdog GitHub Action supply chain attack shows how one weakness can expose many credentials, while the OWASP Non-Human Identity Top 10 provides a useful lens for classifying the failure mode.
Why It Matters in NHI Security
Credential-centric propagation turns one secret exposure into an expansion event. When the same token is trusted in multiple places, attackers can move quietly through cloud accounts, pipelines, and agents without dropping new malware. That is why NHI governance must focus on secret uniqueness, audience restriction, ephemeral issuance, and detection of replay across environments, not just on package integrity.
NHIMG research shows how immature many programs still are: 88.5% of organisations say their non-human IAM practices lag behind or merely match their human IAM efforts, and only 19.6% express strong confidence in securely managing workload identities in the 2024 Non-Human Identity Security Report. Those gaps matter because credential reuse can convert a single compromise into a broad estate-wide incident, especially where secrets are shared insecurely or left valid for too long.
Practitioners should also watch for incident timelines rather than assumptions. In the LLMjacking: How Attackers Hijack AI Using Compromised NHIs report, exposed AWS credentials drew attacker attempts in an average of 17 minutes, showing how rapidly propagation begins once a secret escapes containment. Organ organisations typically encounter credential-centric propagation only after a repository leak, pipeline compromise, or cloud alert, at which point identity containment becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST SP 800-63 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers secret exposure, reuse, and overbroad trust in non-human identities. |
| NIST SP 800-63 | AAL2 | Authenticator strength and replay resistance inform workload credential handling. |
| NIST CSF 2.0 | PR.AC-1 | Identity and credential management are central to controlling unauthorized propagation. |
Eliminate shared secrets, scope credentials tightly, and rotate exposed non-human credentials immediately.