What Happened
Your developers store credentials on their laptops. Git history, environment files, configuration snippets, and API keys are all vulnerable on machines that connect to public WiFi, run unvetted packages, and execute code from unaudited GitHub repositories.
The Megalodon campaign highlighted this vulnerability. Attackers targeted developer endpoints to harvest credentials, then accessed production systems. The breach wasn't detected by your SIEM or secret scanning pipeline but was discovered weeks later during an unrelated security review.
The core issue: your security controls stopped at the perimeter. You scanned repositories, monitored production, and enforced MFA, but lacked visibility into credentials on developer machines.
Timeline of Compromise
Day 0: A developer clones a repository with a hardcoded API key from three months ago. The key was rotated in production, but the old version remains in git history on their laptop.
Day 0 + hours: Malware is delivered through a compromised npm package, scanning the filesystem for credential patterns.
Day 0 + 24 hours: The attacker exfiltrates credentials and tests them against your infrastructure.
Day 0 + weeks: Unauthorized API calls are discovered during a routine audit. Investigation reveals the credential came from a developer's laptop.
Day 0 + months: You still lack knowledge of other credentials on developer endpoints across your organization.
Failed or Missing Controls
The control gap is structural. Your secret scanning runs on:
- Pre-commit hooks (often disabled by developers in a hurry)
- CI/CD pipelines (only see what gets pushed)
- Repository scans (miss local branches and uncommitted work)
These controls do not cover the actual endpoint where development happens. You're scanning the artifact after it's been sanitized, not the workspace where the credential was created.
Specific failures include:
No Endpoint Visibility: You couldn't determine how many credentials exist on developer machines, which ones are live, or which developers have access to production keys.
No Real-Time Detection: When an attacker scanned a developer's filesystem, you had no alert. The compromise was silent due to lack of monitoring.
No Integration Path: Even if credentials were discovered manually, there was no workflow to integrate that data into your incident response process.
Relevant Standards
PCI DSS v4.0.1 Requirement 12.6.3 requires maintaining an inventory of system components, including where cardholder data and authentication credentials exist — even on developer endpoints.
NIST 800-53 Rev 5 control IA-5(7) mandates protection of authenticators. Without knowing that API keys exist on developer laptops, you can't protect them.
ISO 27001 Annex A.5.13 requires labeling of information. Identifying where sensitive authentication material exists is necessary. "We scan the repo" doesn't satisfy this if credentials live on endpoints.
SOC 2 Type II CC6.1 requires logical and physical access controls. Auditors will ask how you prevent unauthorized access to credentials. Scanning repositories isn't enough if credentials are created and stored on endpoints.
Action Items for Your Team
1. Extend Secret Scanning to Endpoints
Repository scans address only part of the problem. The rest involves:
- Local git history never pushed
- Environment files for testing
- Configuration snippets in notes
- Credentials in browser history or clipboard managers
Deploy endpoint scanning locally on developer machines. For example, GitGuardian's implementation can scan 500,000 files in under three minutes, minimizing disruption.
2. Deploy Honeytokens for Real-Time Detection
Static scanning finds credentials at rest. Honeytokens detect active attacks. When an attacker scans a filesystem and attempts to use a honeytoken, you receive an alert immediately.
Place honeytokens in targeted locations: .env files, .aws/credentials, git config. Access alerts you to credential harvesting attempts.
3. Integrate Endpoint Data into Your Security Workflow
Endpoint scanning generates findings that need to integrate into your incident response process. Use MDM-based rollout via Intune or Jamf for deployment. Feed findings into your SIEM or ticketing system. Automatically map discovered credentials to owners for quick response.
4. Build a Credential Inventory
Begin with: what credentials exist on developer endpoints now? Conduct an initial scan and catalog findings.
You'll find:
- Credentials from former contractors
- API keys for unused services
- Production credentials on unauthorized machines
This inventory becomes your baseline. Track it over time and investigate any unauthorized credential appearances.
5. Test Detection with a Tabletop Exercise
Simulate a Megalodon-style attack. Have a team member clone a repository with embedded credentials. Can your security team detect it? How long does it take? What is the response process?
If you can't detect credential exposure during a test, you won't during an actual attack.
The shift to endpoint-focused security is essential. Attackers target developer machines as soft spots in your infrastructure. Your controls must extend to where the work happens.
Endpoint Security Best Practices
