Flare researchers discovered more than 10,000 public Docker Hub images in late 2025 that leaked production API keys, cloud tokens, CI/CD credentials, and AI model access tokens, exposing thousands of live non-human identities. These structural failures enabled real-world compromises like the UNC5537 Snowflake intrusions and the prolonged Home Depot token exposure, underscoring the need to detect, rotate, and revoke long-lived machine credentials. #UNC5537 #Snowflake
Keypoints
- Researchers found over 10,000 Docker images leaking secrets including AI, cloud, database, and API keys.
- Non-human identities (tokens, service accounts, workload identities) authenticate continuously and often have broad, long-lived privileges.
- Real incidents—UNC5537’s Snowflake access, Home Depot’s year-long GitHub token, and the Red Hat GitLab compromise—show how exposed NHIs are exploited.
- Causes include long-lived credentials baked into images and repositories, lack of rotation, and inadequate secret scanning.
- Defenses include automated secret scanning across the SDLC, short-lived ephemeral credentials, monitoring public registries, and proactive revocation.
Read More: https://www.bleepingcomputer.com/news/security/the-double-edged-sword-of-non-human-identities/