GitGuardian Launches Endpoint Protection to Plug Credential Leak Gap on Developer Laptops
GitGuardian's new Developer Endpoint Protection tool scans workstations for plaintext secrets and AI agent artifacts, addressing a credential theft pattern behind recent supply-chain attacks.
GitGuardian today announced Developer Endpoint Protection, a tool that extends its secrets and non-human identity (NHI) detection platform to developer workstations. The launch comes in response to a 12-month wave of supply-chain incidents — including the Mini Shai-Hulud worm, which compromised more than 300 npm and PyPI packages, the Bitwarden CLI compromise, and a Vercel exposure — where attackers harvested plaintext credentials from developer endpoints and CI pipelines to move laterally into production systems.
The core insight driving the product is that the developer laptop has become the credential store attackers are picking through. Rather than hunting for zero-day vulnerabilities, adversaries are landing on a developer or privileged endpoint, finding valid credentials sitting in plaintext, and using those credentials to access cloud control planes, SaaS apps, and production code. The threat model has shifted: secrets at rest on endpoints are now as valuable as stolen Active Directory credentials.
A new exposure class is compounding the problem. Coding agents and MCP (Model Context Protocol) servers, now standard on developer machines, generate credentials that persist after a session, pull secrets from password managers and vaults, and routinely leave copies in log files, shell history, and IDE caches. GitGuardian's beta program data shows an average of 150 secrets per developer laptop, with some machines containing thousands. Among these, private keys account for 38% of unique secrets, while cloud, identity provider, and secret management credentials like AWS IAM and Hashicorp Vault add another 22%. Notably, 40% of secrets are found in AI directories and logs, demonstrating the impact of AI adoption.
Developer Endpoint Protection runs as a scheduled scan deployed through existing MDM tooling, completing in roughly a minute on most machines. It inventories every secret found on a machine and maps it back to the production systems it unlocks and to every other place the same credential lives. Each coding agent and MCP server discovered on the endpoint is inventoried alongside it, so unsanctioned or malicious MCPs surface before they exfiltrate credentials.
The tool closes three gaps that existing security stacks leave open. First, remediation at the source: it redacts secrets from shell and command history, migrates active credentials into vaults and local secrets managers, and prevents coding AI agents from spreading secrets across the machine through GitGuardian agent hooks. Second, blast-radius containment: it continuously hunts plaintext credentials across every endpoint, scores each by severity and access scope, and pushes high-risk findings straight into the SOC, SIEM, and SOAR. Third, live attack detection: honeytokens fire the moment an infostealer steals a credential and auto-validate it from the laptop, giving security teams attribution-rich alerts in real time.
“Attackers have figured out that secrets at rest on endpoints, especially for non-human identities (NHIs) and API keys, are just as valuable as stolen credentials in Active Directory,” said Ken Buckler, Information Security Research Director at Enterprise Management Associates (EMA). “EDR focuses on malicious processes; identity programs only see secrets after they’re used – so the endpoint becomes the gap. The organizations winning this fight are the ones treating endpoint secrets discovery as a first-class security problem, not bolting it onto EDR as an afterthought.”
The announcement reflects a broader industry recognition that the partition between code-resident and endpoint-resident credentials no longer exists for attackers, and it cannot exist for defenders. As supply-chain attacks increasingly pivot from exploiting code vulnerabilities to harvesting valid credentials, tools that treat credential discovery as a first-class security problem — distinct from traditional EDR or identity programs — are becoming essential.
GitGuardian, the #1 security application on GitHub Marketplace, is used by over 500,000 developers and companies including Snowflake, Orange, ING, BASF, and Euronext. The new Endpoint Protection product is available now.