TL;DR: September 2025 incidents across npm, healthcare, banking, and third-party support environments showed how secrets leakage, stale access, and supply chain compromise multiply blast radius once attackers move laterally, according to ColorTokens Threat Advisory. The pattern reinforces that containment and identity lifecycle controls matter as much as perimeter defence.
NHIMG editorial — based on content published by ColorTokens: What a Rogue Package, a Ransomware Hit, and One Mistake Say About Cyber Risk Right Now
By the numbers:
- 104 of Cloudflare’s API tokens were exposed in a third-party breach linked to the Drift and Salesloft compromise.
- The breach exposed 34 GB of sensitive medical data, including lab results, X-rays, and records involving minors.
Questions worth separating out
Q: What breaks when exposed credentials are not revoked quickly?
A: Exposed credentials create a standing access window that attackers can exploit before defenders notice.
Q: Why do service account tokens increase lateral movement risk?
A: Because they authenticate as valid identities without human interaction and often carry access that persists beyond the original task.
Q: What do security teams get wrong about vendor offboarding?
A: They often treat offboarding as a procurement or contract step instead of an identity event.
Practitioner guidance
- Inventory every credential path exposed by build and support workflows Map cloud metadata endpoints, CI/CD variables, maintainer tokens, and support-session access to the systems they can reach.
- Automate offboarding across human and non-human access Ensure departure workflows revoke VPN, email, cloud, repository, and service-account access in one sequence, then verify that tokens and delegated permissions are no longer valid.
- Pair secret detection with immediate revocation Do not stop at finding exposed secrets in GitHub, chat, or logs.
What's in the full article
ColorTokens' full blog covers the operational detail this post intentionally leaves for the source:
- The per-incident breakdown of the npm worm, healthcare ransomware, insider misuse, and third-party token exposure.
- The specific remediation checklist ColorTokens recommends for microsegmentation and lateral movement containment.
- The operational examples behind the article’s claims about secret leakage, downstream blast radius, and response sequencing.
- The source article’s framing of how these events connect to microsegmentation decisions in production environments.
👉 Read ColorTokens’ advisory on npm worm activity, ransomware, insider access, and vendor compromise →
Lateral movement, secrets leakage, and offboarding gaps: what stands out?
Explore further
Lateral movement is the shared failure mode across supply chain, insider, and ransomware incidents. The article groups together very different events, but the control problem is the same: once one trusted boundary fails, attackers look for the next reusable credential or implicit trust path. That is why microsegmentation, offboarding, and secret revocation belong in the same governance conversation. Practitioners should treat blast-radius reduction as an access governance objective, not only a network design choice.
A question worth separating out:
Q: Who is accountable when a service account breach exposes customer data?
A: Accountability sits with the team that owns the application, the identity lifecycle, and the control environment around the service account. If no owner can explain why the credential existed, how it was rotated, and what it could access, governance has failed. Frameworks such as OWASP-NHI and NIST CSF both point to clear ownership and recoverability.
👉 Read our full editorial: Shai-Hulud, ransomware and offboarding failures expose lateral risk