Study Finds Average 150 Secrets Stored on Developer Workstations, Exposing Cloud and IAM Credentials
What Happened — GitGuardian’s latest analysis of 50 developer endpoints uncovered an average of 150 hard‑coded secrets per machine. Private keys made up 38 % of the findings, while cloud, identity‑provider and secret‑management credentials (AWS IAM, HashiCorp Vault) accounted for another 22 %. Many of these secrets were hidden in coding‑agent history files, IDE plugin caches, and AI‑assistant prompts—areas rarely scanned by traditional AppSec tools.
Why It Matters for TPRM —
- Credential leakage on developer laptops can be harvested before any code reaches production, bypassing supply‑chain defenses.
- Compromised workstations become a “high‑ROI” foothold for attackers targeting downstream vendors and SaaS providers.
- Existing third‑party risk assessments often overlook endpoint secret sprawl, creating blind spots in the overall security posture.
Who Is Affected — Technology SaaS vendors, cloud service providers, identity‑provider platforms, and any organization that outsources software development or relies on third‑party development teams.
Recommended Actions —
- Extend vendor risk questionnaires to include endpoint secret‑management practices.
- Mandate regular secret‑scanning of developer machines (including IDE caches, shell history, and AI‑assistant logs).
- Enforce use of dedicated secret‑storage solutions (e.g., HashiCorp Vault, AWS Secrets Manager) and enforce “no‑secret‑on‑workstation” policies.
- Incorporate endpoint detection and response (EDR) rules that flag secret‑type patterns in local files.
Technical Notes — The exposure stems from poor secret‑handling hygiene rather than a specific vulnerability. Attackers can harvest credentials from local files, IDE plugins, or AI‑assistant context, then pivot to cloud accounts, CI/CD pipelines, or third‑party APIs. No CVE is cited; the risk is operational misconfiguration and insider‑type leakage. Source: Help Net Security