Doppler Logo
Jan 06, 2026
6 min read

The role of secrets in supply chain security

Dillon Watts Avatar
Dillon Watts
Guest Contributor
The role of secrets in supply chain security

Over the past decade, the security paradigm has undergone significant shifts. Attackers have realized that breaching a well-fortified production environment is difficult, but compromising the tools, libraries, and pipelines used to build that environment is significantly easier.

This is the era of supply chain attacks.

From the Codecov breach to the recent Shai-Hulud NPM worm, the common denominator is often the mismanagement of secrets. Secrets, API keys, signing certificates, and database credentials are the "skeleton keys" that enable attackers to move laterally from a low-value dependency to a high-value production workload. This article analyzes how secrets serve as the primary pivot point in supply chain compromises and how to harden your architecture against them.

The three pillars of supply chain risk

A software supply chain is defined by everything that touches your code from the first commit to the final deployment. Secrets management helps secure three critical pillars:

  1. The Build Environment (CI/CD)
  2. The Dependency Graph (Open source)
  3. The Integration Mesh (Third-party tools)

1. The Build Environment: The engine room

Continuous Integration (CI) servers have the highest concentration of privileged secrets. They require read access to source code, write access to artifact registries, and deployment access to cloud infrastructure.

The vector:

Attackers target CI logs and build caches. If a secret is injected via an environment variable that is accidentally dumped to ⁠stdout during a build failure, it becomes immutable history in the CI logs. Furthermore, "Runner" machines are often ephemeral but non-zero trust. If an attacker compromises a shared runner, they can scrape environment variables from concurrent jobs.

2. The Dependency Graph: The "Trojan Horse"

Modern applications are 80% open-source code. Attacks like "typosquatting" or "dependency confusion" rely on developers installing malicious packages.

The vector:

A malicious npm or PyPI package does not always try to break your app; often, it silently exfiltrates environment variables.

The recent Shai-Hulud NPM worm serves as a stark warning. While ostensibly a "research" proof-of-concept, it demonstrated how easily a package could propagate by targeting the ⁠postinstall hook. The worm checked for authentication tokens (like ⁠NPM_TOKEN or AWS keys) in the developer's environment and utilized them to auto-publish new versions of itself to other packages the developer had write access to.

Consider a script in a compromised ⁠package.json:

If your secrets are stored in a local ⁠.env file or exported globally in the shell, the malicious package grabs them immediately upon installation.

3. The Integration Mesh: Third-party trust

DevOps tools (Jira, Slack, Datadog, Snyk) are glued together using API tokens.

The vector:

These tokens often have broad scopes (over-privileged). If a third-party vendor is breached (a fourth-party weakness), the static, long-lived API tokens stored in your configuration files allow the attacker to impersonate your services.

Understanding the blast radius

The concept of "blast radius" in supply chain security refers to how far an attacker can move laterally from a single point of compromise. In a hyper-connected ecosystem, the impact of a breach is rarely isolated to the initial target. If a CI runner is compromised, the attacker is not interested in the build logs; they are hunting for the deployment keys stored within the environment variables. Once those keys are exfiltrated, the attacker effectively inherits the permissions of your deployment pipeline, gaining write access to production databases, cloud infrastructure, and artifact registries.

The Shai-Hulud worm perfectly illustrates this multiplier effect. By stealing a single ⁠NPM_TOKEN from a developer's local environment, the malware did not just compromise the package currently being worked on. It granted the attacker the ability to publish malicious updates to every package maintained by that developer. Consequently, a vulnerability in a low-value development tool can instantaneously escalate into a high-criticality incident affecting downstream users across the entire organization. The risk is not defined by the tool that leaked, but by the privileges of the secret that was exposed.

The failure of static secrets

The traditional method of handling secrets are ⁠.env files, encrypted git-repos, or static CI variables expands the supply chain risks because:

  • Persistence: Secrets live on disk. If a build agent or developer machine is compromised by a worm, the file system is widely exposed.
  • Sprawl: Secrets are duplicated across developer machines and multiple CI providers.
  • Staleness: Rotating static secrets is painful, so they are rarely rotated, giving attackers a nearly infinite window of opportunity.

The Solution: centralized, ephemeral secrets

To secure the supply chain, we must move from Static Storage to Dynamic Injection. This is where a platform like Doppler becomes a critical security control.

1. Preventing exfiltration via injection

Doppler injects secrets into the application process only at runtime.

  • No files on disk: There is no ⁠.env file for a malicious npm package to read.
  • Scoped access: A developer running ⁠doppler run – npm install can be scoped to a "Development" config. Even if a worm like Shai-Hulud scrapes the environment, it only gains access to low-value development keys, keeping Production cryptographically unreachable.

2. Hardening the CI pipeline

Instead of storing secrets in Jenkins, GitHub Actions, or CircleCI (where they are difficult to audit), you store a single Doppler Service Token.

  • Reduced surface area: You only have one token to protect.
  • Just-in-time access: The secrets are fetched only when the build step requires them and vanish when the process terminates.

3. Reducing the blast radius with rotation

In the event of a vendor breach, the "Time-to-Live" of your exposed credentials matters. Doppler automates secret rotation. You can invalidate the compromised API key and generate a new one across all infrastructure instantly, closing the door before the attacker can walk through it.

Hardening the pivot point

Supply chain security is not just about scanning your code for vulnerabilities; it is about protecting the credentials that grant access to your infrastructure. If your supply chain is a series of locked doors, secrets are the keys.

By centralizing and automating these keys with Doppler, you eliminate the static files and hardcoded config that attackers rely on. You move from a defensive posture of "hoping we don't leak" to an architectural posture where secrets simply aren't there to be stolen.

If you are looking to harden your supply chain against the next generation of attacks, start a Doppler demo by signing up here.

Back to the blog
Share
Enjoying this content? Stay up to date and get our latest blogs, guides, and tutorials.

Related Content

Explore More
Secrets in AI workflows: Preventing leaks in code review and LLM training
DevRel
Secrets in AI workflows: Preventing leaks in code review and LLM trainingWhy LLM training and AI code review expose secrets and what to do instead
Read More
Advanced LLM security: Preventing secret leakage across agents and prompts
Engineering
Advanced LLM security: Preventing secret leakage across agents and promptsHow to secure LLM prompts, agents, and workflows to prevent secret leakage in production AI systems
Read More
10 common myths about secrets management, risks, and best practices
DevRel
10 common myths about secrets management, risks, and best practicesThe most common secrets management myths and the practices that prevent leaks.
Read More

Enter the new era of secrets management

Trusted by the world’s best DevOps and security teams. Doppler is the secrets manager developers love.

Start for FreeGet Demo