A security incident at Novo Nordisk, the Danish pharmaceutical giant known for its diabetes and obesity drugs, has reignited debate about how organizations handle secrets in software development pipelines. A leaked GitHub token gave an attacker visibility into the company's development infrastructure — and the breach illustrates what security experts argue most organizations continue to get wrong about secrets management.
The Breach: A Token Left Exposed
The incident centered on a GitHub personal access token (PAT) that was inadvertently exposed, providing unauthorized access to repositories and potentially other connected development resources. While Novo Nordisk has not disclosed the full scope of what was accessed, the nature of the exposure — a long-lived credential embedded in or leaked from a development workflow — follows a pattern seen repeatedly across the industry.
GitHub tokens carry significant power. Depending on scope, a single compromised PAT can grant read or write access to source code repositories, CI/CD pipeline configurations, secrets stored in repository settings, and access to integrated third-party services authenticated via the same token.
The Real Problem: Secrets as an Identity Issue
Dark Reading's coverage of the incident focuses on a broader failure mode that Novo Nordisk's breach exemplifies: organizations treating secrets management as a tooling problem rather than an identity problem.
Many enterprises approach secrets sprawl by deploying secrets scanning tools, vaults, and rotation mechanisms — addressing the symptom rather than the root cause. The real issue is that static, long-lived credentials like GitHub PATs, API keys, and service account passwords represent identity claims with no expiry and no continuous verification. Unlike human identities managed through MFA and conditional access policies, secrets frequently exist without:
- Rotation schedules or automated expiry
- Scope limitation to least-privilege access
- Centralized visibility into where they are used
- Detection when they are accessed from unexpected locations
When a secret leaks — through a misconfigured pipeline, an accidentally committed file, a compromised developer machine, or a supply chain attack — the window of exposure can be months or years if the organization lacks secrets lifecycle management.
Supply Chain Implications
The pharmaceutical industry represents a high-value target for both nation-state actors and financially motivated criminals. Source code repositories at a company like Novo Nordisk could contain:
- Proprietary formulation and manufacturing process data
- Drug efficacy models and clinical research code
- Manufacturing control system integrations
- Regulatory submission pipelines and sensitive compliance data
A compromised development pipeline token is therefore not just an IT security event — it can have intellectual property, regulatory, and public health implications.
What Good Secrets Management Looks Like
Security practitioners responding to the incident have highlighted several controls that reduce the risk of token-based breaches:
Short-lived credentials over long-lived tokens: GitHub's fine-grained PATs can be scoped and time-limited, reducing the blast radius if one leaks. Replacing long-lived tokens with short-lived ones issued through OIDC-based authentication in CI/CD pipelines removes the static credential entirely.
Continuous secrets scanning: Tools like GitHub Advanced Security's secret scanning, Gitleaks, or Trufflehog should run on every commit and pull request, with alerts routed to security teams rather than developers alone.
Secrets as identities: Treating every API key, PAT, and service credential as an identity with its own lifecycle — created, scoped, monitored, and revoked — rather than as configuration data.
Behavioral anomaly detection: Monitoring for tokens being used from unexpected IP ranges, geolocations, or at unusual times can catch compromised credentials before significant damage occurs.
Vault adoption with dynamic secrets: Tools like HashiCorp Vault or cloud-native equivalents can issue short-lived, dynamic credentials that are automatically revoked after use, making leaked credentials nearly worthless to attackers.
Industry Context
The Novo Nordisk breach follows a string of similar supply chain and secrets incidents in 2025 and 2026, including the Grafana breach (linked to a GitHub token stolen through the TanStack npm supply chain attack), and multiple incidents where compromised developer machines served as the entry point for broader corporate network access.
The pattern is consistent: organizations invest heavily in network perimeter controls and application security, but leave development infrastructure — where secrets and tokens proliferate — significantly under-protected.
Source: Dark Reading