Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Cloud supply chain attacks: what identity teams are missing


(@unosecur)
Honorable Member
Joined: 1 year ago
Posts: 188
Topic starter  

TL;DR: The Nx compromise showed how poisoned packages can harvest GitHub tokens, SSH keys, API keys, and cloud credentials, then turn developer identities into a path to cloud privilege escalation, according to Unosecur. The real weakness is not malware alone but identity sprawl, over-privileged automation, and weak monitoring of non-human access.

NHIMG editorial — based on content published by Unosecur: From Package Poisoning to Cloud Administrator

By the numbers:

Questions worth separating out

Q: How should security teams reduce the risk of poisoned packages compromising cloud identities?

A: Treat package execution as a credential exposure problem, not only a software integrity problem.

Q: Why do CI/CD automation accounts often become the easiest path to cloud escalation?

A: Because they frequently accumulate broad permissions to keep delivery fast.

Q: What do security teams get wrong about OIDC in cloud pipelines?

A: They often treat OIDC as a replacement for shared secrets, rather than a trust relationship that still needs strict scoping.

Practitioner guidance

  • Harden developer credential stores Remove long-lived cloud credentials, GitHub tokens, SSH keys, and API keys from local workstations wherever possible.
  • Constrain CI/CD federation paths Scope OpenID Connect trust policies to specific repositories, workflows, branches, and claims.
  • Audit automation privilege creep Review every CI/CD role for ability to create IAM roles, attach administrator policies, or alter security controls.

What's in the full article

Unosecur's full blog covers the operational detail this post intentionally leaves for the source:

  • Step-by-step detection logic for compromised credentials across developer, CI/CD, and cloud control planes
  • Specific identity telemetry examples for unusual token use, role assumptions, and administrator policy changes
  • Operational guidance for monitoring service accounts, API tokens, and automation identities in cloud environments
  • The article’s own walk-through of how Unosecur correlates identity signals across multiple layers

👉 Read Unosecur's analysis of the Nx supply chain compromise and cloud identity abuse →

Cloud supply chain attacks: what identity teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Identity is now the cloud perimeter, not the network boundary. The article correctly shows that attackers no longer need to defeat firewalls when developer tokens, service identities, and CI/CD credentials already carry the trust needed to move. That shifts the governance problem from perimeter defence to identity control across the software delivery chain. Practitioners should treat every credential that can reach cloud control planes as part of the attack surface.

A few things that frame the scale:

  • 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
  • Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.

A question worth separating out:

Q: How can organisations tell whether identity-driven attacks are already moving through their cloud environment?

A: Look for unusual token use, unexpected role assumptions, policy attachment events, and identity activity that does not match normal build or developer patterns. Correlating cloud logs with developer and pipeline telemetry is essential, because the attack often looks legitimate at first glance.

👉 Read our full editorial: Identity is the real perimeter in cloud supply chain attacks



   
ReplyQuote
Share: