How a GitHub token exposed Novo Nordisk’s hidden risk

A single leaked GitHub token has just shown how easily software supply chains can be compromised—this time at Novo Nordisk. The incident highlights a common misconception: treating secrets management as a tooling issue rather than an identity and access control problem.

Identity over tools: the real lesson from Novo Nordisk

Security teams often focus on hardening CI/CD pipelines with the latest tools, scanning for vulnerabilities, or tightening network perimeters. Yet the Novo Nordisk breach underscores that stolen or leaked credentials—especially those tied to developer identities—can bypass all those defenses. A GitHub token with elevated permissions effectively acts as a skeleton key, granting access to private repositories, build systems, and even deployment environments. When such tokens aren’t tied to individual identities with strict least-privilege rules, revocation becomes reactive rather than preventive.

From detection to prevention: rethinking secrets management

Organizations can reduce this risk by shifting from reactive detection to proactive identity governance. Automated token rotation tied to developer identities, enforced multi-factor authentication for privileged accounts, and real-time monitoring of unusual access patterns can turn a potential breach into a controlled event. The Novo Nordisk case serves as a reminder that in a world where code is the new currency, the weakest link isn’t the tool—it’s the identity behind it.

---

Source: Dark Reading. AI-assisted editorial synthesis — TechnoExpress.