TL;DR: September 2025 incidents across npm, healthcare, banking, and third-party support environments showed how secrets leakage, stale access, and supply chain compromise multiply blast radius once attackers move laterally, according to ColorTokens Threat Advisory. The pattern reinforces that containment and identity lifecycle controls matter as much as perimeter defence.
At a glance
What this is: ColorTokens’ advisory ties together four incidents to show how compromised environments, exposed secrets, and broken offboarding turn isolated events into broader lateral movement risk.
Why it matters: For IAM, PAM, and NHI teams, the lesson is that access lifecycle failures and leaked credentials can amplify impact faster than traditional detection and response can contain it.
By the numbers:
- 104 of Cloudflare’s API tokens were exposed in a third-party breach linked to the Drift and Salesloft compromise.
- The breach exposed 34 GB of sensitive medical data, including lab results, X-rays, and records involving minors.
👉 Read ColorTokens’ advisory on npm worm activity, ransomware, insider access, and vendor compromise
Context
The core problem is not just intrusion, but how quickly compromised access becomes reusable across systems, packages, and vendors. In this advisory, ColorTokens groups ransomware, insider misuse, supply chain compromise, and third-party exposure around one operational failure: once credentials or trust links are exposed, attackers can move farther than defenders expect.
For identity and access programmes, that means NHI secret handling, offboarding discipline, and privilege containment sit on the same risk path. The article is really about governance gaps in how access persists, how secrets spread, and how downstream environments inherit upstream exposure.
Key questions
Q: What breaks when exposed credentials are not revoked quickly?
A: Exposed credentials create a standing access window that attackers can exploit before defenders notice. The danger is not limited to the original leak. Any system that trusts the credential can become reachable until the secret is rotated, downstream access is closed, and the exposure path is fully removed.
Q: Why do service account tokens increase lateral movement risk?
A: Because they authenticate as valid identities without human interaction and often carry access that persists beyond the original task. If the token is over-scoped or poorly monitored, an attacker can reuse it across systems and clouds while appearing authorised. The risk grows when teams treat service accounts as infrastructure details instead of governed identities.
Q: What do security teams get wrong about vendor offboarding?
A: They often treat offboarding as a procurement or contract step instead of an identity event. If application keys, API tokens, and delegated integrations are not revoked and verified, the relationship still exists in practice. That leaves a latent recovery problem for the next vendor incident.
Q: Who is accountable when a service account breach exposes customer data?
A: Accountability sits with the team that owns the application, the identity lifecycle, and the control environment around the service account. If no owner can explain why the credential existed, how it was rotated, and what it could access, governance has failed. Frameworks such as OWASP-NHI and NIST CSF both point to clear ownership and recoverability.
Technical breakdown
How worm-style package compromise turns one secret into many
A worm-style supply chain attack on npm is not just malware delivery. Once a maintainer environment is compromised, the attacker can steal secrets from metadata endpoints, publish those secrets to public repositories, and tamper with every package the maintainer can reach. The result is propagation through trusted software workflows rather than noisy brute force. In this pattern, CI/CD and developer workstation controls fail together because the build pipeline and the identity used to operate it are both part of the attack surface.
Practical implication: treat maintainer environments, tokens, and build workflows as production trust anchors, not developer conveniences.
Why exposed secrets turn into lateral movement fuel
Secrets in environment variables, cloud metadata services, and support tooling become reusable credentials when defenders do not revoke them quickly. The article’s examples show a familiar chain: stolen credentials are exfiltrated, reused in adjacent systems, and then leveraged for broader access or data theft. This is why secret discovery alone is not enough. If revocation, scope reduction, and boundary enforcement are weak, exposed credentials keep their value long after the initial incident.
Practical implication: pair secret detection with automated revocation and scope control across every runtime that can emit credentials.
How offboarding gaps create a standing access problem
The FinWise case shows how a former employee can remain dangerous when access is not fully removed. Offboarding failure is not just an HR issue, it is an identity lifecycle breakdown that leaves accounts, tokens, VPN access, or cloud permissions alive after employment ends. Once that stale access exists, the attacker does not need to break in again. They simply use permissions that should no longer exist. That is the essence of standing privilege after departure.
Practical implication: verify that exit workflows revoke every identity path, including non-human accounts and support access.
Threat narrative
Attacker objective: The attacker wants to convert one trusted access path into repeatable access across software supply chains, internal systems, and downstream customer environments.
- Entry begins with a compromised maintainer environment or exposed third-party access path, which gives the attacker a trusted foothold inside software and support workflows.
- Credential harvest and reuse follow as secrets are pulled from cloud metadata, local environments, or support data and then pushed into attacker-controlled locations.
- Escalation happens when stolen credentials, exposed tokens, or leftover employee access are used to move into adjacent systems and widen data access.
- Impact is broader data theft, package poisoning, ransomware blast radius, and downstream customer exposure across multiple organisations.
NHI Mgmt Group analysis
Lateral movement is the shared failure mode across supply chain, insider, and ransomware incidents. The article groups together very different events, but the control problem is the same: once one trusted boundary fails, attackers look for the next reusable credential or implicit trust path. That is why microsegmentation, offboarding, and secret revocation belong in the same governance conversation. Practitioners should treat blast-radius reduction as an access governance objective, not only a network design choice.
Standing access after exit is a lifecycle failure, not a one-off insider anomaly. The FinWise example shows how a departed employee can continue to access data when revocation is incomplete or fragmented. In identity programmes, that means human accounts, tokens, VPN entitlements, and delegated support access all need a verifiable termination state. The practitioner conclusion is clear: if access can survive departure, the lifecycle control has failed.
Secret sprawl has become a propagation mechanism for modern attacks. When tokens live in CI/CD, metadata endpoints, chat systems, or support workflows, the secret itself becomes the payload. This is where NHI governance intersects with the broader cyber stack, because service credentials and automation identities can turn a single compromise into a multi-system event. Teams need to think in terms of credential mobility, not just credential existence.
Blast-radius containment is now the practical measure of resilience. The incidents described here show that detection after the fact often arrives after the attacker has already moved. That shifts programme priority toward reducing where stolen access can travel, especially across cloud, DevOps, and third-party integrations. Practitioners should measure how far a compromised identity can move before the environment stops it.
Microsegmentation only works when identity boundaries are equally disciplined. The article’s core point is not simply that networks should be segmented, but that segmentation fails if credentials, tokens, and support access remain broadly valid. That makes identity governance and runtime containment mutually dependent. Security teams should evaluate containment through both communication policy and entitlement scope.
What this signals
Secret mobility is now the control question. The operational issue is no longer whether secrets exist, but how far they can travel before containment kicks in. For identity teams, that means pairing revocation with boundary design and using resources such as the OWASP Non-Human Identity Top 10 to frame the risk of overexposed service credentials.
The same pattern is showing up across software supply chain, support tooling, and cloud integrations, which means access governance has to extend beyond core IAM. If a token can reach multiple systems, it is part of the blast radius problem, not just an authentication problem.
Credential containment becomes a resilience metric. Security programmes should measure how quickly a leaked secret stops working and how many adjacent systems it can touch before that happens. That aligns tightly with MITRE ATT&CK Enterprise Matrix concepts such as credential access and lateral movement, and it gives practitioners a more useful benchmark than raw detection volume.
For practitioners
- Inventory every credential path exposed by build and support workflows Map cloud metadata endpoints, CI/CD variables, maintainer tokens, and support-session access to the systems they can reach. Use this inventory to identify which secrets can move laterally if stolen. The weak point is often the path nobody considered production-grade.
- Automate offboarding across human and non-human access Ensure departure workflows revoke VPN, email, cloud, repository, and service-account access in one sequence, then verify that tokens and delegated permissions are no longer valid. The goal is a complete termination state, not a checklist completion.
- Pair secret detection with immediate revocation Do not stop at finding exposed secrets in GitHub, chat, or logs. Revoke and rotate the credential, then confirm the old secret no longer authenticates in any environment where it was valid. Without revocation, detection only shortens the time to exploitation.
- Reduce blast radius with segmented trust zones Separate package publishing, support tooling, customer data systems, and privileged administrative paths so one compromised identity cannot bridge all of them. Align these boundaries with access policies and service identity scope, not only network address ranges.
Key takeaways
- The article’s common thread is not the incident type, but the reuse of trust paths after a single compromise.
- The evidence shows that exposed tokens, stale access, and vendor spillover can create large downstream blast radii, including 689,000 affected customer records and 104 exposed API tokens.
- The limiting control is not only detection, but fast revocation plus segmented access boundaries that stop reuse.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | The article centers on exposed secrets and reused non-human credentials. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement | The incidents rely on credential theft and pivoting across trusted environments. |
| NIST CSF 2.0 | PR.AC-4 | The article highlights scope control and access governance failures across identities. |
| NIST SP 800-53 Rev 5 | IA-5 | Credential management is central to the secret revocation and reuse problem. |
| CIS Controls v8 | CIS-5 , Account Management | Offboarding failures and stale access are account management breakdowns. |
Use CIS-5 to ensure terminated accounts and service identities are fully removed and verified.
Key terms
- Lateral Movement: Lateral movement is the stage where an attacker uses one compromised system or identity to reach additional systems. In modern environments this often happens through trusted credentials, service accounts, tokens, and vendor integrations rather than loud exploit chains, which is why containment matters as much as detection.
- Secret Sprawl: Secret sprawl is the uncontrolled spread of credentials, tokens, API keys, and certificates across code, logs, chat, metadata services, and support tools. It increases the number of places an attacker can recover usable access and makes revocation harder because the same secret may exist in multiple operational layers.
- Identity Lifecycle Governance: Identity lifecycle governance is the set of processes that create, change, review, rotate, and revoke access across human and non-human identities. It matters because access risk usually increases when lifecycle events are slow, incomplete, or disconnected from the systems that rely on them.
What's in the full article
ColorTokens' full blog covers the operational detail this post intentionally leaves for the source:
- The per-incident breakdown of the npm worm, healthcare ransomware, insider misuse, and third-party token exposure.
- The specific remediation checklist ColorTokens recommends for microsegmentation and lateral movement containment.
- The operational examples behind the article’s claims about secret leakage, downstream blast radius, and response sequencing.
- The source article’s framing of how these events connect to microsegmentation decisions in production environments.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management in a way that maps directly to access lifecycle decisions. It is designed for practitioners who need to turn identity controls into operational containment.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org