Subscribe to the Non-Human & AI Identity Journal
Home FAQ Threats, Abuse & Incident Response Why do infostealers create such a large IAM…
Threats, Abuse & Incident Response

Why do infostealers create such a large IAM risk?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 14, 2026 Domain: Threats, Abuse & Incident Response

They turn endpoint compromise into identity compromise by collecting artefacts that authentication systems already trust. That matters for both human users and non-human identities because stolen tokens, passwords, and browser state can be reused for access, lateral movement, and exfiltration long after the original malware has been removed.

Why This Matters for Security Teams

Infostealers are not just endpoint malware. They are identity collection tools that harvest browser sessions, passwords, tokens, certificates, and synced cloud state that authentication systems already trust. That makes them especially dangerous in environments where access depends on reusable secrets rather than device posture or workload identity. The risk extends to non-human identities as well, because service accounts and automation often inherit the same weak secret-handling habits as user accounts.

NHIMG’s Top 10 NHI Issues and the NIST Cybersecurity Framework 2.0 both point to a practical reality: identity controls fail when secrets are durable, widely reused, and easy to export. In the 2024 Non-Human Identity Security Report, Aembit found that 88.5% of organisations say their non-human IAM lags behind or merely matches human IAM. That gap matters because infostealers can turn one compromised endpoint into many authenticated sessions, often without triggering classic perimeter alerts.

In practice, many security teams discover the identity impact of infostealers only after stolen sessions have already been reused for cloud access, lateral movement, or data exfiltration.

How It Works in Practice

The operational problem is straightforward. Once an infostealer lands on a laptop, browser, or build host, it looks for anything that can be replayed elsewhere: cached credentials, session cookies, refresh tokens, SSH keys, API keys, and cloud CLI profiles. If the organisation relies on static secrets or long-lived sessions, the attacker may not need to crack passwords at all. They simply import the stolen artefact into a fresh environment and act as a trusted identity.

This is why identity risk must be handled as a credential lifecycle issue, not just a malware issue. Current guidance from NIST SP 800-53 Rev. 5 Security and Privacy Controls supports strong authentication, access control, and secret protection, but infostealer resilience usually requires more operational discipline:

  • Use short-lived credentials and revoke them automatically when a task ends.
  • Prefer federated identity, device-bound sessions, and workload identity over shared secrets.
  • Segment privileged access so a stolen browser session cannot reach admin functions by default.
  • Monitor for impossible travel, token reuse, unusual user agents, and sudden changes in access patterns.
  • Rotate exposed secrets quickly, including CI/CD tokens, cloud keys, and service account credentials.

For NHI-heavy environments, the issue is even sharper. The 2024 Non-Human Identity Security Report notes that many organisations still struggle with consistent access management across hybrid and multi-cloud environments, which increases the blast radius when a stolen secret is valid in more than one place. Better practice is to make each identity narrow, ephemeral, and context-aware rather than broadly reusable.

These controls tend to break down in shared developer workstations, unmanaged BYOD devices, and CI pipelines where long-lived tokens are stored in plaintext configuration or reused across environments.

Common Variations and Edge Cases

Tighter secret controls often increase operational friction, requiring organisations to balance faster developer workflows against shorter token lifetimes and more frequent reauthentication. That tradeoff becomes visible in environments that depend on automation, legacy protocols, or third-party integrations that cannot easily support modern federation.

There is no universal standard for every edge case yet, but current guidance suggests treating each exception as a temporary risk acceptance, not a permanent design pattern. A legacy app that cannot use federated auth should be isolated, monitored, and given the smallest possible secret scope. Shared service accounts should be phased out where possible, because a stolen token for one automation path can become a bridge into production data or cloud administration. The same logic applies to browser-synced secrets on admin workstations: convenience features can quietly expand the blast radius of infostealers.

For practitioners, the key question is not whether the malware was removed, but whether any exported identity artefact is still trusted anywhere. NHIMG’s Ultimate Guide to NHIs — Why NHI Security Matters Now and TruffleNet BEC Attack — Stolen AWS Credentials illustrate how stolen credentials can outlive the initial compromise and be reused at scale.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01Infostealers exploit weak secret handling and reusable NHI credentials.
NIST CSF 2.0PR.AC-1Identity proofing and access control limit replay of stolen sessions.
NIST SP 800-63Session and authenticator guidance helps reduce token replay risk.
NIST Zero Trust (SP 800-207)AC-3Zero Trust limits lateral movement after endpoint token theft.
NIST AI RMFRisk governance should account for identity theft in AI and automation workflows.

Eliminate long-lived shared secrets and map every NHI to a narrowly scoped, revocable credential.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org