TL;DR: Supply chain attacks are increasingly following the same pattern of breach, secret discovery, and pivot, with its user-agent now appearing in SaaS and cloud logs as defenders and attackers both use the tool, according to TruffleHog. The real security issue is not the scanner itself but the speed gap between exposure, verification, and revocation.
NHIMG editorial — based on content published by TruffleHog: TruffleHog in Your Logs?
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
Questions worth separating out
Q: How should security teams respond when a live secret is discovered in SaaS logs or code?
A: Treat the finding as active access until proven otherwise.
Q: Why do exposed secrets create such a fast escalation risk for IAM and NHI programmes?
A: Because the discovery window is often shorter than the response window.
Q: What do security teams get wrong about secret scanning?
A: They often treat detection as the finish line.
Practitioner guidance
- Separate sanctioned scans from hostile activity Use distinct user-agent suffixes for internal scanning so SOC and SIEM teams can attribute TruffleHog activity correctly across GitHub, AWS, Slack, Jira, and Confluence.
- Treat verified secrets as active credentials If a scanner confirms a credential is live, move immediately to revocation and replacement instead of deleting the file, commit, or message where it appeared.
- Expand scanning beyond code repositories Include collaboration systems, issue trackers, and document stores in your secret discovery programme because secrets routinely surface outside source code.
What's in the full article
TruffleHog's full article covers the operational detail this post intentionally leaves for the source:
- A step-by-step response sequence for exposed secrets, including ownership resolution, revocation, and replacement.
- Practical examples of how to distinguish sanctioned secret scans from suspicious user-agent activity in logs.
- Coverage of where secrets hide beyond source code, including Slack, Jira, Confluence, and other SaaS systems.
- Implementation detail for integrating secret scanning into CI/CD and commit history workflows.
👉 Read TruffleHog's analysis of secret exposure, log attribution, and rotation →
TruffleHog in logs: what it means for secret exposure response?
Explore further
Credential exposure is now a live access problem, not a post-incident hygiene issue. TruffleHog's core value is that it exposes the gap between discovery and revocation, which is where attackers operate. In NHI governance terms, a live secret is an identity with delegated authority, even if it first appeared in a code review, log file, or collaboration workspace. Practitioners must treat exposed secrets as active access until proved otherwise.
A few things that frame the scale:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- DeepSeek accidentally embedded over 11,000 secrets in its training data and exposed more than one million sensitive records, including chat histories, backend credentials, and API keys.
A question worth separating out:
Q: How can organisations reduce the blast radius of leaked service credentials?
A: Limit the number of systems each credential can reach, map all dependencies before rotation, and require a clear owner for every secret. Add scanning outside code, especially in SaaS platforms where secrets often hide, so you catch leaks before they become cross-platform pivot points.
👉 Read our full editorial: TruffleHog in logs signals exposed secrets need faster response