What if a cybersecurity tool turns against you?
Popular cybersecurity scanning tool turns into info-stealing malware
Non-human identities (NHIs), such as API keys, OAuth tokens, AI agents, and service accounts, now surpass human identities by 144 to one, an increase of 44% (92:1) from the previous year.
NHIs are essential in distributed ecosystems and the microarchitecture paradigm that most software solutions follow these days. However, their existence undermines security postures that largely assume a system identity refers to a human identity, i.e., a person with a username and password.
Security leaders must be aware of the increasing complexity of identity management so they can integrate solutions that account for these potential weaknesses.
NHIs and secrets present several challenges.
Firstly, they allow access to a system without the traditional MFA requirements imposed on human users. Whereas human users typically must verify their identity via SMS or a verification app each time they access a sensitive system, an NHI is configured once and then forgotten.
The argument has been that NHIs are typically stored as secrets in code repositories or hosting platforms, thus reducing the risk of their exposure.
That leads us to the second problem: Many of these secrets aren’t stored as securely as they should be. For example, the linked NHI report says that nearly half of the exposed secrets it found are outside of code repos. (NHI & Secrets Risk Report H1 2025 by Entro) That means secrets are being stored in Excel sheets, text files, cloud storage accounts, Slack channels, and so on.
Nearly one in five exposed secrets came from SharePoint.
Thirdly, nearly all NHIs (97%) have excessive privileges, and 92% of organizations expose NHIs to third parties even when those third parties don’t follow the organization’s required security standards.
The sheer number of NHIs also makes managing them a nightmare unless proper data governance is in place.
It’s extremely challenging for a security leader to keep track of every API key across every system. Proper rotation cycles and key management in a data governance system are therefore crucial.
Other discoveries that exacerbate the problem are:
Regarding that last point: almost half of NHIs are more than a year old, and just under 8% are between five and 10 years old. One in a thousand is over 10 years old, and some of them even outlive their creators.
The aging trend of secrets is worse: 2.3% are more than a decade old, including hardcoded secrets in legacy code that maintainers consider too risky to change.
In 2024, GitHub saw 23.77 million secrets leaked, an increase of 25% from the year before, making secrets and NHIs a massive attack surface for threat actors. The leaks were worse in private repositories, suggesting that users feel a false sense of security in private repos versus public ones. The comparison breaks down as follows:
Wildly, 70% of code secrets leaked in 2022 are still valid.
As if all of that isn’t bad enough, AI is making things worse. A review of 20,000 repositories that had Copilot activated found they leaked secrets 40% more than the average across public repositories. The review determined this is due to the inherently weaker code developed by AI compared to human developers, as well as to the fact that the insistence on using AI means developers might feel pressured to prioritize speed over security.
A sad irony regarding the speed of development is that AI can only be as good as the average of all the data it’s been trained on. When AI models are trained indiscriminately on all available public code, then they also inherit the weaknesses of that code. When prompted, the AI can then suggest that weak code.
Employees use an average of 15 SaaS tools each. (Incidentally, the overspend on these tools is 10.5%, but that’s another blog for another time.) Meanwhile, IT typically knows about only a third of these tools, leading to shadow IT.
Thirty-four percent of employees use unsanctioned apps, and 59% of security professionals can’t guarantee that employees will follow SaaS policies.
The result is a fiction of data governance.
Instead of living in tidy stores within sanctioned SaaS tools, data now flows through dozens of third-party environments and tools, many of which haven’t been approved by the IT department.
As a result, companies are forced to increase SaaS security staff headcounts and budgets. Whereas SaaS security was treated mostly as an afterthought in the past, it’s now considered a priority by 80% of organizations, with 41% considering it a high priority.
Zero-trust has become the gold standard architecture for identity security. Unfortunately, Zero Trust policies have been built around human users and rarely extend to the machine identities, SaaS-to-SaaS connections, and AI agents that now dominate the identity.
OAuth tokens lack the MFA capabilities upon which zero-trust is built. So do API keys. By obtaining a security token or an API key, a threat actor bypasses the entire Zero Trust setup and simply walks through the front door.
Until Zero Trust can be applied with the same rigor to non-human identities as it is to the human ones, placing too much faith in the Zero Trust frameworks will lead to a false sense of security.
The first step in securing NHI weaknesses is to recognize that any existing security posture does not adequately cover NHI and secrets management. They require special attention to ensure the rest of your security setup works.
Some of the steps you can take to mitigate NHI and secret leaks are:
Locking down NHI risks is both complex and resource-intensive. The NHI risks mentioned above don’t fall into a neat pattern and thus require constant attention.
Identity complexity has outpaced what most internal security teams can manage with existing tools and headcount.
SolCyber offers fully managed cybersecurity; focused on identity, driven by real people, and delivered with full transparency. We use a human-led approach, while leveraging cutting-edge tools, as a practical response to the governance challenges of NHI. We can work alongside your team or completely independently. We can take over your security completely or bolster areas that need more focus.
NHI is a complex area that isn’t getting any simpler. Working with a reliable MSSP can help you navigate the NHI minefield more easily.
To learn more about how SolCyber can help you, reach out to us for a demo.
Popular cybersecurity scanning tool turns into info-stealing malware
What sort of data collection is “fair and reasonable” when it’s your car doing the collecting?
According to a study of 35,000 organizations and 12.6 million individuals by KnowBe4, over 33% of users are susceptible to becoming victims of phishing attacks. These attacks often come via phishing emails carrying malicious attachments in the form of .js files, PDFs, excel sheets containing malicious macros, or script files, each of which allows the attacker to execute malicious code. While email security tools often detect these attachments, many still get through, posing a risk to less-trained employees who aren’t […]
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
