Dhar added that in most cases, access to applications such as Google, GitLab, and AI applications is not blocked, as this could hinder operations within an organization. The reputation-based security systems cannot work efficiently here since the domain in question is seen as a reputable one, meaning security personnel will have to dig deeper into behaviour and user actions.
Breaking the attack chain
If a developer falls victim, the blast radius can be much larger than a normal user compromise. Jaju warned that a developer machine often contains browser session cookies, SSO tokens, SSH keys, Git credentials, source code, cloud CLI tokens, package manager credentials, secrets stored in local files, and access to internal documentation or collaboration platforms.
From there, attackers can move into code repositories, CI/CD pipelines, cloud environments, container registries, ticketing systems, and enterprise messaging platforms. In some cases, they may not need to steal passwords at all because session tokens or authenticated browser sessions are enough to bypass part of the security stack.
