New York, New York, June 16th, 2026, CyberNewswire
GitGuardian is introducing Developer Endpoint Protection, extending its secrets and non-human identity (NHI) security platform coverage to developer workstations.
After 12 months of supply-chain campaigns harvesting credentials from developer machines, CISOs and IT leaders are reopening a question many considered settled: what does endpoint protection have to cover today, and who owns it?
Across software supply chain incidents and SaaS compromises over the past 12 months, the pattern is the same every time: attackers land on a developer or privileged endpoint, harvest valid credentials sitting in plaintext, and use those credentials to move laterally into production code, cloud control planes, and SaaS apps. The developer endpoint is back at the center of the breach story. The threat model is the part that’s moved.
Attackers have stopped hunting for zero-days when developer endpoints and CI pipelines already hand them the credentials they need. The self-replicating Mini Shai-Hulud worm has compromised more than 300 npm and PyPI packages. The Bitwarden CLI compromise, the Trivy → LiteLLM campaign, and the April 2026 Vercel exposure followed the same pattern: credentials cached on developer or CI endpoints, harvested at scale.
A new exposure class is making the problem worse. Coding agents and MCP servers, now standard on developer and employee machines, generate credentials that persist after a session, pull secrets from password managers and vaults, and routinely leave copies in log files, shell history, and IDE caches. Most organizations deploying these tools have no inventory of what they create or leave behind, and existing security tools are not instrumented to find it.
“Attackers have figured out that secrets at rest on endpoints, especially for non-human identities (NHIs) and API keys, are just as valuable as stolen credentials in Active Directory,” said Ken Buckler, Information Security Research Director at Enterprise Management Associates (EMA). “EDR focuses on malicious processes; identity programs only see secrets after they’re used – so the endpoint becomes the gap. The organizations winning this fight are the ones treating endpoint secrets discovery as a first-class security problem, not bolting it onto EDR as an afterthought.”
The Three Moves Defenders Are Making
Incident responders converge on three moves. First, treat every developer and privileged endpoint as a credential store and inventory them as such. Second, prioritize credentials by what they grant access to, not by where they were found. Third, shorten the lifetime of anything that cannot be removed. Defenders who can answer “what was on this machine on this date” recover faster from a supply-chain hit.
A Credentials-First Approach to the Endpoint
GitGuardian today introduced Developer Endpoint Protection, extending its secrets detection, honeytoken, and non-human identity (NHI) coverage to developer and privileged workstations. Unlike endpoint tools focused on malicious binaries or package provenance, Endpoint Protection is built around the credentials themselves and the AI tooling that increasingly generates them. Each secret found on a machine maps back to the production systems it unlocks and to every other place the same credential lives. Each coding agent and MCP server discovered on the endpoint is inventoried alongside it, so unsanctioned or malicious MCPs surface before they exfiltrate credentials, not after.
It is built for organizations that lack a machine-by-machine view of credentials. Endpoint Protection runs as a scheduled scan deployed through existing MDM tooling, completing in roughly a minute on most developer machines.
How Endpoint Protection helps
Endpoint Protection closes three gaps that existing security stacks leave wide open:
Remediation at the source: redacts secrets from shell and command history, migrates active credentials into vaults and local secrets managers, and prevents coding AI agents from spreading secrets across the machine through GitGuardian agent hooks.
Blast-radius containment: continuously hunts plaintext credentials across every endpoint, scores each by severity and access scope, and pushes high-risk findings straight into the SOC, SIEM, and SOAR, ready to act on the moment a breach lands.
Live attack detection: honeytokens fire the moment an infostealer steals a credential and auto-validate it from the laptop, giving security teams attribution-rich alerts in real time, not low-confidence signals after the fact.
“Over the past few months, barely a week has gone by without a major breach involving credentials stolen from a laptop,” said Eric Fourrier, CEO and co-founder of GitGuardian. Our beta program data shows an average of 150 secrets on developer laptops, with some even ranging into the thousands. Among these secrets, private keys account for 38% of unique secrets, while cloud, identity provider, and secret management credentials like AWS IAM and Hashicorp Vault add another 22%. And the most interesting point is that 40% of secrets are found in AI directories/logs, demonstrating the impact of AI adoption. The partition between code-resident and endpoint-resident credentials no longer exists for attackers, and it cannot exist for defenders.”
Additional resources
Endpoint Protection – Product details
GitGuardian – Website
About GitGuardian
GitGuardian helps organizations protect exposed credentials and guard non-human identities across code, cloud, and developer environments. It detects secret leaks, monitors public exposure, and helps teams remediate risks at enterprise scale.
Widely adopted by developer communities, GitGuardian is the #1 security application on GitHub Marketplace and is used by over 500 thousand developers and leading companies, including Snowflake, Orange, ING, BASF, Maven Wave, Euronext and Bouygues Telecom. To learn more about GitGuardian, users can visit https://www.gitguardian.com.
Contact
Media Contact
Holly Hagerman
GitGuardian
[email protected]
+18013737888
