They should remove reusable secrets from build paths entirely and replace them with workload-bound credentials that are issued only when needed. The goal is to make install-time malware unable to find a token worth stealing. That means repository scans, CI hardening, and immediate revocation when a secret is exposed.
Why This Matters for Security Teams
Reusable secrets in npm build and CI paths are high-value targets because they sit exactly where untrusted code is most likely to execute. A package install, postinstall script, or CI step can exfiltrate tokens long before a human notices. Current guidance from the OWASP Non-Human Identity Top 10 and NHIMG research on the Shai Hulud npm malware campaign points to the same operational truth: static tokens in build systems are not merely overprivileged, they are exposed to adversarial code by design.
The real risk is not only theft, but reuse. Once a secret is copied from a runner, registry cache, log stream, or developer workstation, it can be replayed elsewhere until revoked. That makes build-time compromise a broader identity problem, not just a code scanning problem. NHIMG’s Guide to the Secret Sprawl Challenge shows how quickly secrets multiply across tools and environments, which is why security teams need to treat CI as an identity boundary, not a trusted zone. In practice, many security teams discover the exposure only after package compromise or pipeline abuse has already started.
How It Works in Practice
The safest pattern is to remove reusable secrets from build paths entirely and replace them with workload-bound credentials that are issued per job, scoped to a single purpose, and revoked automatically when the task ends. That means using short-lived OIDC-backed tokens, federated workload identity, or brokered access rather than long-lived API keys stored in environment variables. For npm builds, the goal is to make install-time malware unable to find a token worth stealing.
Security teams should apply four controls together:
- Issue ephemeral credentials at runtime, not during repository checkout or image build.
- Bind access to workload identity and job context so the credential only works for the intended runner, repo, branch, or pipeline stage.
- Strip secrets from logs, artifacts, caches, and container layers before they can persist beyond the job.
- Revoke and rotate immediately when a token is exposed, even if exposure is only suspected.
This model aligns with NHIMG guidance on static vs dynamic secrets and with the CI/CD pipeline exploitation case study, where the issue is not one secret in isolation but the trust placed in the runner, the package manager, and every transitive dependency. The practical control objective is to make every credential useless outside the exact task for which it was minted, while using OWASP Non-Human Identity Top 10 guidance to harden secret lifecycle handling. These controls tend to break down in shared, long-lived runners with broad network access because the credential boundary and the execution boundary are no longer the same.
Common Variations and Edge Cases
Tighter secret controls often increase pipeline complexity and can slow developer workflows, so organisations have to balance build speed against blast-radius reduction. Best practice is evolving, but there is no universal standard yet for every npm and CI scenario. Teams commonly need different handling for internal packages, public open-source builds, and privileged release pipelines.
Edge cases matter. Some npm workflows still rely on tokens for private registry access, and some legacy CI systems cannot natively mint workload-bound credentials. In those environments, reduce risk by narrowing token scope, shortening TTLs aggressively, isolating runners, and enforcing per-job revocation. If a platform cannot support ephemeral identity, it should be treated as a migration gap rather than a stable exception.
Secrets scans remain useful, but they are a detection layer, not the primary control. NHIMG’s research on the Shai Hulud npm malware campaign and the broader 52 NHI Breaches Analysis both reinforce that exposed build credentials are often discovered after automated abuse has already started. That is why the right default is no reusable secret in the build path at all.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10, OWASP Non-Human Identity Top 10 and CSA MAESTRO define the specific risk controls and attack patterns relevant to this topic.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | Build and CI secrets are prime targets for tool-chain abuse and credential theft. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Addresses secret lifecycle and rotation for non-human identities used in automation. |
| CSA MAESTRO | C5 | Covers agent and workload identity, authorization, and secret handling in automated systems. |
Remove reusable secrets from CI paths and replace them with runtime-bound, short-lived credentials.
Related resources from NHI Mgmt Group
- How should security teams reduce risk from secrets in CI environments?
- How should security teams handle exposed secrets in AI-driven environments?
- What breaks when secrets are stored in pods or build environments?
- How should security teams prevent a malicious npm package from stealing cloud credentials?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
