Supply chain, DevSecOps

Developer tools are now the front door to our customer’s data

A 3D rendering shows a chain of binary code links breaking apart, symbolizing a data breach or cybersecurity vulnerability.

COMMENTARY: In March 2025, an attacker gained access to Salesloft's GitHub organization. No alarms fired. No customer data was immediately at risk. The compromise sat in a developer repository.

Five months later, that foothold cascaded into one of the largest SaaS supply-chain breaches on record. The attacker pivoted from GitHub into Salesloft's AWS environment, exfiltrated OAuth tokens tied to the Drift chatbot integration, and used those tokens to pull data from more than 700 Salesforce customer tenants in 10 days. The API calls originated from Drift's own infrastructure. The traffic matched normal integration behavior.

This attack chain represents a pattern – and it’s accelerating.

Compromise a Dev tool, inherit the enterprise

The threat actor behind the Salesloft/Drift breach, tracked by Google as UNC6395, moved from GitHub to AWS to Drift's OAuth tokens to Salesforce, then searched Salesforce records for embedded credentials: AWS keys, Snowflake passwords, and API secrets. Those credentials opened paths into additional downstream systems. Each step exploited a trust relationship that no single security tool monitored end-to-end.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

This pattern has a clear precedent. In 2021, attackers modified one line in Codecov's Bash Uploader script, causing it to exfiltrate environment variables from the CI pipelines of 23,000 customers for two months. Those variables contained credentials for databases, cloud infrastructure, and SaaS platforms.

In late 2022, malware on a CircleCI engineer's laptop stole a session cookie, granting access to production systems and exposing customer tokens, SSH keys, and encryption keys. Every CircleCI customer was told to assume their secrets were compromised.

The GlassWorm campaign, identified Jan. 30, 2026, signals where this threat will head next. Attackers compromised a legitimate developer's publishing credentials on the Open VSX Registry and pushed malicious updates to four VS Code extensions with 22,000 combined downloads. The payload harvests AWS credentials, SSH private keys, npm tokens, GitHub artifacts, browser sessions, and macOS keychain contents.

Each acts as a bridge from a developer workstation into the third-party systems that house an organization's most sensitive data. No confirmed cascade into enterprise SaaS has been reported, but the credential collection profile was purpose-built for that escalation.

Agentic AI makes all this faster

Agentic AI development tools will compound this risk at machine speed. GitHub Copilot, Cursor, Devin, and Amazon Q Developer no longer just suggest code. They generate integrations, create OAuth connections, store secrets, and modify infrastructure configuration autonomously. Every automated action expands the web of trust relationships that security teams cannot fully see or govern.

It's already producing real vulnerabilities. In mid-2025, researchers disclosed CamoLeak (CVSS 9.6), a prompt-injection attack against GitHub Copilot Chat that leveraged hidden comments in pull requests to silently exfiltrate AWS credentials and source code from victims' private repositories.

Separately, security researcher Adnan Khan demonstrated that an attacker could trick Copilot's coding agent into committing a malicious CI/CD workflow, then trigger it to steal all repository secrets. Cursor has its own variant (CVE-2025-54135): a single poisoned prompt delivered through a connected MCP server gave attackers remote code execution on the developer's machine before the user could reject the suggestion.

These are patched vulnerabilities with CVEs and proof-of-concept exploits. It’s an underlying structural problem: AI agents ingest untrusted external data and act on it with developer-level privileges. It resurfaces across platforms because it’s intrinsic to how these tools operate.

What once required a compromised developer account can now occur through compromised prompts, poisoned context, or manipulated agent workflows. The result is the same: legitimate credentials operating across trusted integrations, but created and propagated far faster than traditional security controls can follow.

OAuth tokens are the new passwords

All of the incidents I’ve outlined share a root cause. Enterprise data now lives in and moves through third-party systems the enterprise depends on, but does not own: SaaS applications, data lakes, cloud storage, AI tools and agents, and the helper services attached to them, such as chatbots, integration platforms, enrichment services, and workflow automation.

These systems connect to each other through OAuth grants, API keys, and service accounts that carry broad permissions, rarely expire, and are almost never monitored for behavioral anomalies after initial authorization. Once an attacker obtains a legitimate token, whether by stealing it from a repository or by tricking an AI agent into creating one, they inherit the trust that the token carries across every connected system. They operate inside the trust boundary of systems the enterprise does not own, accessing data it is responsible for protecting.

The gap is the integration layer: the connective tissue of APIs, OAuth apps, and automated workflows where data actually moves between these third-party systems. That’s where these attacks live.

Three questions for security pros

In the Salesloft/Drift breach, the anomaly was visible only by correlating activity across Salesforce, Google Workspace, and Zscaler simultaneously and recognizing that a single set of tokens was accessing all three at volumes that deviated from Drift's baseline. No individual platform's logs revealed the threat.

Security leaders should ask:

Can we track how sensitive data moves between third-party systems through integrations, not just within individual apps?

Without that, supply-chain attacks exploiting trusted integration paths stay invisible.

Do we baseline the behavior of non-human identities (NHIs) and alert on deviations?

A stolen token operating within its authorized scope will not trigger a policy-based alert, regardless of how much data it exfiltrates.

When a vendor announces a breach, can we determine our blast radius in minutes? And, which data did that vendor's integrations touch, which tokens are involved, how far could compromise propagate?

If that takes days of manual reconstruction, the containment window has closed.

The attack surface has become the full ecosystem of third-party systems that house and move our most sensitive data. Developer tools are the entry point. AI agents are multiplying those entry points at a pace human review cannot match. And behavioral monitoring across that ecosystem, with data-layer context, represents the missing control.

Keep in mind that the credentials are already being harvested. And, the agents are already building the bridges.

Amir Khayat, co-founder and CEO, Vorlon

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds