Cloud supply chain attacks: what identity teams are missing

TL;DR: The Nx compromise showed how poisoned packages can harvest GitHub tokens, SSH keys, API keys, and cloud credentials, then turn developer identities into a path to cloud privilege escalation, according to Unosecur. The real weakness is not malware alone but identity sprawl, over-privileged automation, and weak monitoring of non-human access.

NHIMG editorial — based on content published by Unosecur: From Package Poisoning to Cloud Administrator

By the numbers:

• Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.

Questions worth separating out

Q: How should security teams reduce the risk of poisoned packages compromising cloud identities?

A: Treat package execution as a credential exposure problem, not only a software integrity problem.

Q: Why do CI/CD automation accounts often become the easiest path to cloud escalation?

A: Because they frequently accumulate broad permissions to keep delivery fast.

Q: What do security teams get wrong about OIDC in cloud pipelines?

A: They often treat OIDC as a replacement for shared secrets, rather than a trust relationship that still needs strict scoping.

Practitioner guidance

• Harden developer credential stores Remove long-lived cloud credentials, GitHub tokens, SSH keys, and API keys from local workstations wherever possible.
• Constrain CI/CD federation paths Scope OpenID Connect trust policies to specific repositories, workflows, branches, and claims.
• Audit automation privilege creep Review every CI/CD role for ability to create IAM roles, attach administrator policies, or alter security controls.

What's in the full article

Unosecur's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step detection logic for compromised credentials across developer, CI/CD, and cloud control planes
• Specific identity telemetry examples for unusual token use, role assumptions, and administrator policy changes
• Operational guidance for monitoring service accounts, API tokens, and automation identities in cloud environments
• The article’s own walk-through of how Unosecur correlates identity signals across multiple layers

👉 Read Unosecur's analysis of the Nx supply chain compromise and cloud identity abuse →

Cloud supply chain attacks: what identity teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →