Last week a worm hijacked Claude Code session hooks to maintain persistence inside developer environments. The malware had a better model of your developer environment than most security teams do.
That is not a supply chain story. That is an identity story.
Non-human identities (NHIs) are machine actors that authenticate and take actions in your environment without a human in the loop: CI tokens, package publisher accounts, OAuth grants, API keys, and agent sessions.
They now outnumber human identities in most engineering organizations, and almost none of them are systematically governed.
The org chart is real work, done well. The wall it hangs on shows everything that work doesn’t cover.
AppSec was built around human actors. Developers write code, users submit input, attackers probe endpoints.
The threat model starts with a person making a decision. AppSec teams wrote policies, deployed scanners, reviewed pull requests, and trained developers.
All of it assumed that if you secured what humans do, you secured the system.
That assumption is now wrong in a specific and practical way.
In late April 2026, Mini Shai-Hulud spread across npm, PyPI, and Packagist. The campaign hit roughly 1,800 developers and compromised packages with more than 10M monthly downloads.
Related credential-stealer clusters hit RubyGems and Go modules in the same window. The technique was the same in each case: compromise a package publisher account, push a malicious update, harvest credentials at install time.
No human was in the loop when the GitHub token left the machine. The package ran, the credentials moved, the pipeline kept going.
The chair is empty. The package opened. The credentials left through the window. This is not a security failure — this is the design.
Developer security policy did not cover this because the developer was not the actor. The package was.
Classic SAST checks the code your team writes. Classic SCA checks the dependencies your team picks. Neither model fully covers a trusted install-time process that steals credentials after resolution.
On May 4, 2026, Cisco announced its intent to acquire Astrix ; CTech reported the price at roughly $400M . That is not just M&A news. It is a $400M signal that NHI governance has moved from backlog hygiene to board-visible control gap.
Astrix’s entire product is built around one uncomfortable observation: organizations cannot see or govern the non-human identities (NHIs) they have accumulated.
Service accounts, OAuth grants, API tokens, CI identities, SaaS app connections, package publish rights, agent sessions. Not users. Not services in the traditional sense.
Machine actors that a developer created once, probably in a hurry, and then forgot about.
OSV-Scanner’s CI output injection bug is the same story in miniature. The scanner is not a person. Its output feeds the next machine in the pipeline.
When that output is injectable, you have not been attacked by a clever human. You have been attacked by the assumption that text from a trusted tool is safe text.
Claude Code being the first target makes sense. Every AI coding agent is a fresh non-human identity that authenticates to npm, GitHub, your cloud, and your CI. My bet: the next twelve months create more of those identities than new employees.
I keep coming back to the same pattern. The failure is no longer between a human attacker and a human-operated system.
It is between one automated process and another, with human-issued credentials as the prize.
When you audit “developer security,” the scope should now include every non-human actor that developer implicitly created.
The npm token scoped to publish everything. The CI service account with write access to production. The GitHub App installed on a Saturday and never reviewed. The agent session that persists across your entire working day.
Some of these may appear in identity governance. The dangerous ones are the ones that do not: package rights, OAuth grants, long-lived CI tokens, and agent sessions with no owner.
Start with the question your IAM system cannot answer: what can make a change in your environment without a human approving it? That list is your real attack surface.
Four places to start this week:
- Inventory every package publisher account your team owns. Most teams cannot produce this list in an hour.
- Scope every CI token to one repo, one action, one environment. Long-lived org-wide tokens are the npm publisher account of tomorrow.
- Audit OAuth grants to your GitHub org. Anything installed before 2025 deserves a fresh review.
- Treat agent sessions (Claude Code, Cursor, Copilot Workspace) as identities. They authenticate, they take actions, they need lifecycle management.
The boundary moved. Most AppSec programs have not.
Reply if I missed something. I’ll update the piece.