A developer gets a LinkedIn message from a recruiter. The role looks legitimate. The coding assessment requires installing a package. That package exfiltrates all cloud credentials from the developer’s machine — GitHub personal access tokens, AWS API keys, Azure service principals and more — are exfiltrated, and the adversary is inside the cloud environment within minutes.
Kinda shocks me that most of these cli apps still have no method of securing these credentials. No encryption with passphrase, no integration with password/secret managers. Just a plaintext credentials file in a static location.