Dependabot-driven NHI compromise exposes CI trust gaps in AI toolchains

At a glance

What this is: GitGuardian describes a supply-chain attack that pivots from a compromised npm package into CI, secrets exposure, GitHub fallback exfiltration, and AI tool probing.

Why it matters: For IAM and NHI teams, the case shows how automated dependency paths and runner privileges can turn a single compromise into broad credential abuse.

By the numbers:

• 15% of commit authors have leaked at least one secret in their contribution history.
• 38% of secrets incidents in collaboration and project management tools like Slack, Jira, and Confluence are classified as highly critical or urgent.

👉 Read GitGuardian's analysis of the Bitwarden/CLI and KICS supply-chain compromise

Context

Non-human identity risk in modern software pipelines is no longer limited to static secrets stored in a vault. When build systems, dependency updates, and autonomous coding tools all have execution authority, a single compromise can cascade across CI, source control, and downstream AI workflows.

This article uses a real attack chain to show how trusted automation becomes the attack surface. For IAM and NHI practitioners, the key issue is not just secret theft, but whether machine identities in CI are allowed to fetch, run, and propagate untrusted code with too much standing privilege.

Key questions

Q: How should security teams handle Dependabot-style automation in CI pipelines?

A: Treat automated dependency updates as privileged execution paths. Restrict what the runner can install, read, and publish, and add extra review for updates that can execute code or touch secrets. The goal is to prevent a trusted automation event from becoming an unchecked identity bridge into source control, build artefacts, and downstream release systems.

Q: Why do AI coding assistants create new NHI governance risks?

A: They create risk because they run with delegated execution authority, local context, and access to developer workflows. That makes them part of the identity perimeter, not just productivity software. If an attacker can influence the assistant environment, they can suppress prompts, alter startup state, or use the tool as a persistence and exfiltration path.

Q: What is the difference between blocking exfiltration domains and stopping NHI compromise?

A: Blocking one exfiltration domain only removes one exit path. Stopping NHI compromise requires controlling the identities and permissions that let malware read secrets, create repositories, sign commits, or reuse tokens. Attackers will pivot to whichever trusted channel still exists, so governance has to cover credentials, provenance, and runtime behaviour together.

Q: When should organisations re-evaluate CI trust assumptions?

A: They should re-evaluate them whenever pipelines can automatically execute third-party code, access repository secrets, or trigger downstream publishing without a second approval step. Those conditions mean the CI runner has meaningful standing privilege. Once that is true, a single compromised dependency can become a broad identity incident.

Technical breakdown

How supply-chain compromise reaches CI runner identities

The initial path here is a trusted software dependency that becomes an execution vector inside automated pipelines. When Dependabot pulls a malicious image or package, the runner executes it with whatever permissions the workflow grants, often including repository access and secrets retrieval. That makes the CI runner itself a non-human identity with meaningful authority, not just an execution host. Once the payload runs, the attacker can inspect environment variables, tokens, and cached credentials, then use those assets for lateral movement into source control and related services. The operational lesson is that dependency trust and runtime trust are not the same thing.

Practical implication: Treat dependency updates as privileged actions and restrict runner permissions to the minimum needed for each pipeline.

AI coding assistants as an emerging identity abuse surface

The payload probing six AI coding tools shows that attackers are now testing for interactive assistants as part of the compromise path. These tools can be invoked with local privileges, command-line flags, and configuration state that make them part of the machine identity landscape. If malware can detect and manipulate the assistant environment, it can suppress prompts, trigger hidden execution, or alter shell startup files to persist after the original run. This is a governance problem because the tool is not just software, it is an actor with delegated execution authority and access to developer context.

Practical implication: Inventory AI coding tools as governed NHI assets and limit how they can read, write, or execute within developer workstations and CI.

Why fallback exfiltration channels defeat single-control defenses

A notable trait of this campaign is resilience. If the primary exfiltration domain is unreachable, the malware falls back to GitHub by staging tokens in commit messages, deriving alternate domains from signed commits, and uploading encrypted blobs into attacker-created repositories under the victim account. That pattern matters because it bypasses the assumption that blocking one endpoint or one domain is enough. The attacker is using multiple identity-linked channels, each of which looks like legitimate platform activity unless the organisation correlates token use, commit provenance, and repository creation at runtime.

Practical implication: Correlate GitHub events, token use, and pipeline execution together rather than relying on network filtering alone.

Threat narrative

Attacker objective: Steal repository credentials and maintain reliable exfiltration paths that survive blocked network destinations and user scrutiny.

1. Entry via a compromised npm package and a trojanized Checkmarx KICS image pulled automatically through Dependabot into CI.
2. Escalation through repository secrets, runner credentials, and AI tool probing that suppresses approvals and exposes local execution context.
3. Impact through exfiltration to attacker-controlled domains, fallback staging in GitHub, and repository creation under the victim account for credential theft and persistence.

Breaches seen in the wild

• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
• Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

CI runner identity is now part of the attack surface, not just the delivery system. This case shows that automated dependency updates can carry attacker code into environments that hold the most valuable machine credentials. Once the runner is trusted to execute and fetch secrets, compromise becomes a privilege problem, not a malware problem. Practitioners should govern runners as NHI assets with explicit scope and short-lived access.

AI tool poisoning creates a new category of identity abuse. The payload does not need to own the assistant ecosystem to exploit it. It only needs to detect, suppress, or redirect the local tools that already have execution authority. That means agentic and assistant workflows need the same governance discipline as service accounts: inventory, scope, approval boundaries, and logging.

Fallback exfiltration is a sign of identity-aware adversaries. The campaign does not depend on one channel or one domain because the attacker understands that defenders often block the obvious path and miss the authenticated fallback. This is where identity controls, provenance checks, and repository monitoring matter more than perimeter filtering. Practitioners should assume that exfiltration will use whatever trusted identity path remains open.

Ephemeral trust is not enough if privilege is still standing. The campaign benefits from environments that automatically update, automatically execute, and preserve reusable credentials across steps. That combination creates identity blast radius, where one compromised workflow can spread through multiple accounts and tools. Security teams should move from isolated secret handling to end-to-end workflow governance, because that is where the real containment boundary now lives.

From our research:

• Around 100,000 valid secrets were found in public Docker images, with ENV instructions alone accounting for 65% of all secret leaks in containers, according to The State of Secrets Sprawl 2025.
• 15% of commit authors have leaked at least one secret in their contribution history, which shows how often identity and source control overlap in real environments.
• Use NHI Lifecycle Management Guide to tighten provisioning, rotation, and offboarding controls for machine identities that can reach CI and code repos.

What this signals

Identity blast radius is the right lens for this class of incident. When a single compromised package can touch CI, GitHub, and developer tooling, the control question is no longer whether the environment is patched. The question is how far one non-human identity can move before detection and whether that movement is constrained by least privilege and short-lived access.

With 4.6% of public GitHub repositories containing at least one hardcoded secret, secret exposure is not an edge case. That scale means pipeline governance has to assume leaked credentials, misuse of automation, and repository-level pivoting as routine conditions rather than rare exceptions.

Teams that govern AI assistants, CI runners, and repository automation as separate domains will miss the compound risk. The practical response is to link software supply chain controls, NHI lifecycle management, and code-host monitoring into one operating model, then map it to the NIST Cybersecurity Framework 2.0 and the NIST SP 800-63 Digital Identity Guidelines where authentication strength matters.

For practitioners

• Restrict automated dependency updates Apply a cooldown to dependency updates that can execute code in CI, and require additional review for packages or images that touch secrets, runners, or deployment paths.
• Reduce runner privilege and secret scope Separate build, test, and release identities so a compromised runner cannot read broad repository secrets or create new trust relationships in GitHub.
• Inventory AI coding tools as governed NHIs Track Claude Code, Gemini CLI, Codex CLI, and similar assistants as managed non-human identities with explicit execution boundaries and logging.
• Monitor commit and repository anomalies Alert on unexpected repository creation, unusual commit-message patterns, and token-like data appearing in source control or CI logs.

Key takeaways

• Automated dependency paths can turn CI runners into high-value non-human identities with broader access than teams expect.
• Attackers are increasingly chaining source control, secrets, and AI tooling into one identity abuse path rather than treating each system separately.
• Practitioners should govern runners, assistants, and repository automation as a single trust domain with strict scope and short-lived credentials.

Key terms

• CI Runner Identity: A CI runner identity is the set of credentials and permissions a build or test runner uses while executing pipeline tasks. In NHI terms, it is a machine identity with real authority, often able to read secrets, access repositories, and publish artefacts if controls are too broad.
• Dependency Update Trust Boundary: The dependency update trust boundary is the point where automated package or image updates cross from approved maintenance into code execution. When that boundary is weak, a trusted automation event can deliver attacker code into environments that hold secrets and release privileges.
• AI Tool Poisoning: AI tool poisoning is the manipulation of local AI assistants or coding tools so they execute attacker-chosen behaviour, hide prompts, or persist changes. It is an identity problem because the assistant operates with delegated execution authority and can be steered by malicious input or environment changes.
• Identity Blast Radius: Identity blast radius is the amount of access and downstream reach a compromised non-human identity can obtain before containment. It reflects how far a token, runner, or assistant can move across systems when standing privilege, reuse, and weak segmentation are present.

What's in the full analysis

GitGuardian's full article covers the operational detail this post intentionally leaves for the source:

• The exact commit-message patterns and signature checks used to trace the malware's fallback exfiltration logic.
• The repository-level evidence behind the beautifulcastle and LongLiveTheResistanceAgainstMachines indicators.
• The specific payload behaviour that targets Claude Code, Gemini CLI, Codex CLI, Kiro CLI, Aider, and OpenCode.
• The recommended cooldown approach for dependency updates and why Dependabot-style automation changes the risk profile.

👉 GitGuardian's full post covers the commit artefacts, exfiltration fallback paths, and dependency-update exposure details.

Deepen your knowledge

CI runner governance and AI tool abuse are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for automated dependency updates and assistant-driven workflows, it is worth exploring.