Malware built to discover, collect, and exfiltrate credentials from hosts, tools, and metadata services rather than simply encrypting or deleting files. It often targets tokens, keys, environment files, and password stores because those artefacts can unlock multiple downstream systems with little additional effort.
Expanded Definition
credential harvesting malware is designed to locate credentials at rest and in use, then extract them for later abuse. In the NHI domain, that includes API keys, OAuth tokens, SSH material, cloud access keys, kubeconfigs, local password stores, environment files, and metadata service responses that expose workload identity context. It differs from ransomware and generic data theft because the primary objective is not immediate disruption, but durable access that can be reused across systems and automation paths.
Usage in security operations can vary. Some teams reserve the term for malware that actively searches endpoints and repositories, while others include scripts and loaders that collect secrets after initial compromise. The practical definition is therefore behavioural: if the payload is built to find and exfiltrate secrets, it fits. That framing aligns well with the OWASP Non-Human Identity Top 10, which treats secret exposure as a core NHI failure mode rather than a side effect.
The most common misapplication is treating credential harvesting malware as ordinary file-stealing malware, which occurs when defenders miss that the stolen artefacts can unlock privileged cloud and CI/CD access.
Examples and Use Cases
Implementing detection for credential harvesting rigorously often introduces more telemetry, parsing, and false-positive handling, requiring organisations to weigh faster secret discovery against additional monitoring cost.
- A workstation infection scans browser stores, shell history, and local config files for cloud credentials, then stages them for exfiltration.
- A CI/CD compromise captures pipeline variables and service account tokens, creating a path from one build system into production automation, as seen in the Reviewdog GitHub Action supply chain attack.
- A Kubernetes node compromise pulls kubeconfig files and mounted service tokens, enabling cluster-admin abuse after the initial host intrusion.
- An attacker script queries a cloud metadata service and converts the response into temporary credentials, a pattern that overlaps with the secret abuse described in the LLMjacking: How Attackers Hijack AI Using Compromised NHIs research.
- A developer endpoint infected by malware harvests Git credentials and SSH keys, then pivots into source control and deployment systems.
These behaviours are often mapped against credential and secret handling guidance in NIST SP 800-53 Rev 5 Security and Privacy Controls and the Guide to the Secret Sprawl Challenge, because secret concentration is what makes a single infection strategically valuable.
Why It Matters in NHI Security
Credential harvesting malware is especially dangerous in NHI environments because one captured secret can expose many identities at once. Service accounts, build agents, API clients, and automation bots often rely on reusable credentials with broad scope, so a single infection can cascade into cloud resources, CI/CD pipelines, and data platforms. That is why NHI security programs focus on secret minimization, rotation, scoped access, and detection of abnormal secret use.
The risk is not theoretical. In the 2024 Non-Human Identity Security Report, only 19.6% of security professionals expressed strong confidence in their organisation’s ability to securely manage non-human workload identities, and 23.7% said secrets are still shared through insecure methods such as email or messaging applications. Those conditions create ideal harvesting opportunities for malware already inside the environment.
Controls from NIST SP 800-63 Digital Identity Guidelines and CIS Controls v8 are useful complements, but they only reduce impact if secrets are short-lived, unique, and monitored for reuse. Organisations typically encounter the full severity only after an endpoint, repo, or pipeline has already been breached, at which point credential harvesting malware becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers improper secret handling and exposure paths that malware targets. |
| NIST CSF 2.0 | PR.AC-1 | Addresses credential and access management needed to limit post-harvest abuse. |
| NIST SP 800-63 | AAL2 | Defines assurance expectations that highlight the weakness of reusable secrets. |
| NIST Zero Trust (SP 800-207) | Zero Trust assumes credentials can be compromised and must be continuously validated. | |
| NIST AI RMF | Highlights governance for systems whose credentials can be harvested and misused. |
Use stronger authenticator assurance and avoid long-lived reusable credentials where possible.