If 2025 made one thing painfully clear for us defenders: attackers are done “hacking apps”. They are hacking access, meaning tokens, secrets, OAuth-connected apps, and the non-human identities (NHIs) that quietly hold production-grade permissions. And now, they can automate large chunks of that work with agentic AI.
Here’s the 2025 recap in three stories.
Enterprise Security for AI Agents & Non-Human Identities
GTG-1002: When AI agents went from “assist” to “attack”
In November, Anthropic published a report on what it describes as the first reported AI-orchestrated cyber espionage campaign, attributed with high confidence to a Chinese state-sponsored group Anthropic calls GTG-1002. Anthropic says it detected the operation in mid-September 2025, that it targeted roughly 30 entities, validated a handful of successful intrusions, and that the actor used Claude Code in a way that drove 80–90% of tactical operations with minimal human intervention.
This wasn’t a case of “AI wrote a phishing email.” This was a preview of attacker operations where agentic systems can run recon, discovery, exploitation, and post-exploitation workflows at machine speed.
What that changes for defenders: visibility and control can’t stop at humans. We need to govern how tools and identities are used, especially the non-human ones that agents and automation rely on.
Shai-Hulud worm turned npm packages into secret exposure pipelines
Shai-Hulud 2.0 is the clearest illustration of 2025’s core truth: secrets are both the target and the payload in today’s supply chain attacks.
As we covered in our initial analysis of this large-scale attack, the malware runs during npm install (via install lifecycle scripts) of compromised packages of various suppliers, harvests secrets from developer machines and CI environments, writes them into local artifacts, and exfiltrates them into attacker-controlled GitHub repositories. The GitHub repos were largely a collection and exfiltration layer. The assets exposed were the runtime environments, their in-memory secrets, and local configuration across CI pipelines, endpoints, and cloud-connected machines.
Entro Labs analyzed over 30,000 Shai Hulud repos and tied exfiltrated data to 1,195 organizations, including banks, governments, and Fortune 500 tech. In multiple cases, Entro observed high-value cloud and CI secrets still valid more than 72 hours after public disclosure.
Update (Dec 28/29): Aikido researchers spotted a new Shai-Hulud strain uploaded to npm (@vietmoney/react-big-calendar), with no major spread so far, suggesting early-stage testing and continued evolution of the campaign suggesting continued iteration as we head into 2026.
Salesforce Drift’s breach showed how OAuth tokens can become skeleton keys
If Shai-Hulud 2.0 is about secrets spilling from where code runs, the Drift-Salesforce incident in August was about something even quieter: trusted SaaS integrations.
The breakdown of the breach showed a campaign where attackers targeted Salesloft Drift, then created OAuth tokens on behalf of Drift that acted like “skeleton keys” into customer Salesforce environments, because the Connected App (a non-human identity) looked legitimate and already had approved scopes.
Google Threat Intelligence Group (GTIG) published an advisory describing a widespread data theft campaign (tracked as UNC6395) that targeted Salesforce customer instances via compromised OAuth tokens associated with the Salesloft Drift third-party app, beginning as early as Aug 8, 2025. GTIG assessed the actor’s primary intent as credential harvesting, and noted the actor searched exfiltrated data for sensitive secrets like AWS access keys, passwords, and Snowflake-related tokens.
The modern NHI risk is right there: A third-party OAuth app is basically a non-human identity with persistent access. When its tokens are compromised, the attacker inherits a clean, authenticated path into the data plane.
The 2025 takeaway: access is the new perimeter (and it’s mostly non-human)
These incidents look different, but they rhyme:
- AI agents increased speed and scale of threat actors’ operations.
- One of the largest supply chain attacks focused on harvesting secrets from real runtime environments.
- OAuth-connected apps created a shared blast radius across customers when tokens or integrations are abused.
If you are not treating secrets and NHIs as first-class security assets, 2026 will be louder.
How Entro can help
Entro was built for exactly this convergence: AI agents, secrets, and non-human identities sharing the same blast radius. We help security teams discover exposed secrets and the NHIs behind them, map ownership, and understand what those identities can access across cloud, SaaS, code, and CI/CD.
So when an incident hits, teams can answer the questions that actually drive containment:
- Which secrets were exposed, and where else do they exist?
- Which non-human identities use them, and what can they access right now?
- Which identities are behaving abnormally, or being used in unexpected places?
- Were compromised secrets and tokens actually revoked, or are they still live?
