Ungoverned GitHub tokens: what IAM teams are missing now

TL;DR: A GitHub personal access token embedded in client-side JavaScript let FulcrumSec move through hundreds of private Novo Nordisk repositories, harvest additional credentials and claim access to AI assets and clinical data, according to Unosecur and reporting cited in the article. The breach shows that long-lived machine credentials become an identity graph when they are never inventoried or rotated, and that blast radius matters more than initial access.

NHIMG editorial — based on content published by Unosecur covering the Novo Nordisk token exposure incident: How one ungoverned token opened Novo Nordisk's entire environment

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
• 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation.

Questions worth separating out

Q: What breaks when a GitHub token is embedded in client-side code?

A: The token stops behaving like a controlled identity and starts behaving like an unmanaged bearer credential.

Q: Why do machine credentials in repositories increase lateral movement risk?

A: Repositories often expose more than code.

Q: How should security teams measure whether NHI secret controls are working?

A: Measure how many credentials are discovered before merge, how quickly they are revoked after exposure, and how much access each credential can reach.

Practitioner guidance

• Inventory every machine credential in code and pipelines Build a live register of tokens, API keys, and certificates found in repositories, CI systems, and deployment artifacts.
• Block secret-bearing commits before merge Add secrets scanning at commit and build time, and fail the pipeline when a credential appears in source, documentation, or generated artifacts.
• Map the reachable systems for each token Document what every non-human identity can reach across source, build, storage, and production layers.

What's in the full article

Unosecur's full blog covers the operational detail this post intentionally leaves for the source:

• A step-by-step breakdown of how the GitHub token was discovered in client-side JavaScript and how the repository graph enabled further access.
• The incident mapping that links initial token exposure to repository cloning, credential harvesting, and prolonged lateral movement.
• Operational guidance on continuous secrets scanning, behavioural baselines, and token scope reduction in development environments.
• The vendor's own remediation framing for where repository governance, CI controls, and identity inventory should intersect.

👉 Read Unosecur's analysis of the Novo Nordisk token exposure and repository breach →

Ungoverned GitHub tokens: what IAM teams are missing now?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →