Subscribe to the Non-Human & AI Identity Journal

Who is accountable when a stolen publishing token is used to spread malware?

Accountability sits with the team that owns the publishing identity, the platform that governs distribution, and the security function that defines revocation and monitoring requirements. In practice, governance must cover the full lifecycle of the token, from issuance to offboarding, because stale publishing access becomes an attack primitive once compromise occurs.

Why This Matters for Security Teams

A stolen publishing token is not just an access problem. It is a trust problem across software delivery, content distribution, and incident response. When an attacker uses a valid token to publish malware, the blast radius often includes customers, downstream mirrors, and internal automation that assumes the publisher is legitimate. That makes accountability shared in practice, but not shared in the sense of “everyone owns it,” which is where many teams lose control.

The team that owns the publishing identity must define who can issue, rotate, revoke, and monitor the token. The platform team must enforce distribution safeguards, anomaly detection, and release integrity checks. Security must set the minimum control baseline and ensure revocation happens quickly enough to matter. NIST control guidance for access and auditability remains relevant here, especially NIST SP 800-53 Rev 5 Security and Privacy Controls, but the real issue is that publishing tokens are often treated as convenience credentials instead of high-risk secrets.

NHIMG’s research shows how often token exposure becomes operational, not theoretical. In the Salesloft OAuth token breach, stolen tokens enabled access that should have been blocked by stronger lifecycle governance. In practice, many security teams encounter malware publication only after the token has already been abused, rather than through intentional detection of risky publishing access.

How It Works in Practice

Accountability starts with identity ownership, but it only becomes actionable when the token lifecycle is explicit. The publishing team should be able to answer three questions at all times: who issued the token, what systems can use it, and what events revoke it. Security then defines controls for storage, rotation, scope limitation, and monitoring. Platform teams implement distribution checks so a stolen token cannot silently publish malicious artifacts without extra signals.

For mature environments, the operational model should look like this:

  • Issue the publishing token to a named workload or service account, not a shared human mailbox.
  • Scope the token to the narrowest publish action possible, with no broad admin privileges.
  • Use short TTLs and JIT renewal where the workflow allows it, because long-lived publishing secrets expand attacker dwell time.
  • Monitor for impossible travel, unusual publish timing, package name drift, and new signing or release destinations.
  • Revoke on offboarding, pipeline changes, incident escalation, or any suspected exposure in chat, tickets, or code.

This matters because secrets exposure is still routine. NHIMG’s Guide to the Secret Sprawl Challenge and the GitGuardian findings in The State of Secrets Sprawl 2026 show that valid secrets remain exploitable long after first exposure, which is why detection alone is not enough. Current guidance also aligns with CIS Controls v8 on access control, inventory, and audit logging, but there is no universal standard yet for publishing-token blast-radius reduction across all registries and pipelines.

The practical test is simple: if a stolen token can still publish from a fresh host, from an unusual geography, or after offboarding, accountability is only on paper. These controls tend to break down when tokens are embedded in CI/CD runners, chat systems, or release automation because the organisation no longer has a single place to enforce revocation.

Common Variations and Edge Cases

Tighter publishing controls often increase release friction, requiring organisations to balance delivery speed against the cost of stronger verification and shorter token lifetimes. That tradeoff is real, especially for open source maintainers, multi-tenant build systems, and partner ecosystems where multiple actors touch the same release path.

There is also no universal standard yet for how accountability is split when the compromise begins outside the publisher’s direct control. If a token is stolen from a third-party CI runner, the immediate owner of the identity still carries responsibility for its protection, but the platform operator may share accountability if it failed to enforce storage isolation or revocation hooks. If malware is signed and published through delegated automation, the owning team remains accountable for the trust it delegated, even if a contractor performed the final action.

One important edge case is multi-environment publishing. Teams often assume a dev token cannot cause production harm, but if build promotion, package mirroring, or auto-update channels are linked, a low-privilege leak can become a supply chain incident. The relevant lesson from Shai Hulud npm malware campaign is that publishing trust is only as strong as the weakest credential path. For identity governance, The 52 NHI Breaches Report reinforces the same pattern: ownership without revocation discipline leaves attackers with a valid path to abuse.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-03 Token lifecycle failures make this control directly relevant.
OWASP Agentic AI Top 10 A-04 Autonomous release tooling can abuse publishing authority like an agent.
CSA MAESTRO MAESTRO-3 Publishing workflows need runtime governance and lifecycle accountability.
NIST AI RMF AI RMF helps assign governance for high-impact automated release decisions.
NIST CSF 2.0 PR.AC-4 Least privilege and access management are central to publishing-token accountability.

Define ownership, monitoring, and escalation for any automated system that can publish or distribute code.