Look for unexpected token use, unusual outbound connections, unexplained browser profile access, and persistence mechanisms on workstations and build runners. If a compromised package executed on the machine, assume cloud keys, CI secrets, and other non-human credentials may already be exposed and rotate them before restoring trust.
Why Security Teams Should Treat Developer Endpoints as NHI Leak Sources
Developer workstations and build runners are now high-value identity containers, not just user endpoints. If a package, browser extension, or local script can read environment variables, cached tokens, or cloud credential files, it can often reach NHI secrets before any perimeter alert fires. That is why incident response has to focus on abnormal token use, not just malware detection. NHIMG’s Guide to the Secret Sprawl Challenge shows how quickly secrets fragment across tooling, while the Shai Hulud npm malware campaign is a reminder that supply-chain execution on a developer machine can expose far more than code.
Current guidance suggests assuming compromise when a trusted workstation starts making unusual outbound connections, authenticating from a new process tree, or accessing browser profiles and local secret stores that should never be part of normal development activity. In practice, many security teams discover NHI leakage only after the leaked token has already been reused from another environment, rather than through intentional endpoint monitoring.
How Security Teams Detect NHI Secret Leakage on Endpoints
Detection works best when endpoint telemetry, identity telemetry, and cloud audit logs are reviewed together. A stolen cloud key or CI secret rarely announces itself directly; instead, it shows up as a chain of events that does not match the endpoint’s normal developer workflow. Security teams should correlate process launches, script execution, browser access, and outbound network patterns with token usage, API calls, and secret-manager events.
Useful signals include repeated access to ~/.aws, credential stores, browser session data, Git credential helpers, and CI workspace caches. For build runners, the question is often whether a job unexpectedly reached into broader filesystem paths or fetched secrets outside its approved pipeline stage. The OWASP Non-Human Identity Top 10 is useful here because it frames secrets exposure as an identity problem, not just a malware problem.
- Alert on token use from new hostnames, geographies, or process identities.
- Watch for browser profile reads, credential store access, and secret file enumeration.
- Compare endpoint activity with cloud audit logs for impossible or out-of-pattern API sequences.
- Quarantine the workstation or runner before rotating keys, because active exfiltration often continues after first detection.
NHIMG analysis of secrets incidents in 52 NHI Breaches Analysis shows that credential exposure is often discovered late, after attackers have already reused the identity elsewhere. For endpoint triage, the practical standard is to assume any executed package with filesystem and network access may have touched secrets, then validate which credentials were reachable and revoke them in priority order. These controls tend to break down when developer endpoints are unmanaged, local admin rights are broad, or build runners are reused across projects because the trust boundary becomes too large to attribute activity cleanly.
Where Endpoint Monitoring Misses the Hard Cases
Tighter detection often increases operational noise, requiring organisations to balance fast leak detection against developer productivity and alert fatigue. The hardest cases are not obvious malware but legitimate tools doing illegitimate things on behalf of an attacker, such as a compromised dependency, a malicious npm postinstall step, or a browser-based session hijack. Best practice is evolving, but there is no universal standard for detecting every NHI leak path on endpoints.
One useful benchmark is the vendor research in The State of Secrets in AppSec, which reports that the average estimated time to remediate a leaked secret is 27 days despite high confidence in secrets management. That gap matters because slow remediation gives attackers time to reuse tokens across SaaS, cloud, and CI systems. The Reviewdog GitHub Action supply chain attack is a practical example of how trusted automation can become a leak vector without any obvious user error.
Security teams should treat local endpoint signals as evidence of exposure, not proof of a single compromised secret. Browser profile access, persistent launch agents, and unexpected child processes matter because they indicate an execution path that could have harvested multiple credentials at once. The control challenge is strongest on systems with long-lived developer sessions, broad local caching, and sparse EDR coverage.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Addresses secret exposure and rotation after endpoint compromise. |
| OWASP Agentic AI Top 10 | Agentic workloads can chain tools and leak secrets from developer endpoints. | |
| NIST CSF 2.0 | DE.CM-7 | Continuous monitoring is required to spot abnormal token and endpoint activity. |
Inventory exposed NHI secrets, then rotate and revoke them immediately after suspicious endpoint activity.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 20, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
