A leaked GitHub token doesn’t just underscore a problem – it highlights what most organizations get wrong: treating secrets management as a tooling problem rather than an identity problem, and that’s a critical distinction we can’t afford to ignore, especially on June 22, 2026, as we’re seeing more breaches like the one at Novo Nordisk.
Key Takeaways
- Novo Nordisk’s breach emphasizes the importance of secrets management as an identity problem.
- A leaked GitHub token can have significant consequences for an organization’s security.
- Most organizations treat secrets management as a tooling problem, rather than an identity problem.
- This approach can lead to significant security risks, and it’s something we’ve seen before.
- It’s crucial for organizations to reevaluate their approach to secrets management, and that’s not going to be easy.
Understanding the Novo Nordisk Breach
And what we’re seeing with the Novo Nordisk breach is that it’s not just about the leak of a GitHub token – it’s about the underlying issues that led to it, and those issues are complex. Because when we treat secrets management as a tooling problem, we’re focusing on the tools and technologies used to manage secrets, rather than the people and processes involved, and that’s a mistake.
The Consequences of a Leaked GitHub Token
But a leaked GitHub token can have significant consequences for an organization’s security, and it’s not something to be taken lightly. For example, it can give attackers access to sensitive information and systems, and that’s a serious concern. Because once an attacker has access to a GitHub token, they can use it to access and modify sensitive information, and that’s not something we want to see happen.
Historical Context of Secrets Management
In the early days of software development, secrets were often hard‑coded into source files. Teams shared repositories without thinking about who could read the code, and the idea of a dedicated secrets lifecycle barely existed. As the industry moved toward cloud‑native architectures, the volume of keys, passwords, and certificates exploded. Vendors responded by building vaults, key management services, and encrypted storage solutions. Those tools gave the illusion that merely buying a product solved the problem.
What changed was the realization that a vault is only as secure as the identity that accesses it. When an organization relies on a single static credential—like the GitHub token that slipped out of Novo Nordisk’s pipeline—it creates a single point of failure. The shift from “tool‑first” to “identity‑first” thinking didn’t happen overnight; it emerged after a series of high‑profile leaks that demonstrated the limits of technology without proper governance.
That evolution informs the current conversation. It tells us that any effective secret‑handling strategy must embed identity controls at its core. Without that foundation, even the most sophisticated vault will be bypassed.
The Importance of Secrets Management as an Identity Problem
And that’s why secrets management should be treated as an identity problem, not a tooling problem, and it’s a distinction that’s critical to making progress on this issue. Because when we treat secrets management as an identity problem, we’re focusing on the people and processes involved in managing secrets, rather than just the tools and technologies, and that’s a more comprehensive approach. For instance, 85% of organizations don’t have a clear understanding of who has access to their sensitive information, and that’s a problem, because it’s hard to manage what you don’t understand.
The Challenges of Implementing Effective Secrets Management
But implementing effective secrets management is not easy, and it’s something that requires significant effort and resources. Because it requires organizations to reevaluate their approach to secrets management, and to implement new processes and technologies to support it, and that’s not a simple task. For example, organizations need to implement multi-factor authentication and least privilege access to ensure that only authorized individuals have access to sensitive information, and that’s just the beginning.
Best Practices for Secrets Management
And there are best practices that organizations can follow to implement effective secrets management, and it’s not just about following a checklist. Because it’s about creating a culture of secrecy, and ensuring that all employees understand the importance of secrets management, and that’s something that takes time and effort. For instance, organizations should use secrets management tools to encrypt and manage sensitive information, and they should also implement access controls to ensure that only authorized individuals have access to sensitive information.
And if you want to learn more about the Novo Nordisk breach, you can check out the original report, and it’s worth reading, because it provides a detailed analysis of the breach and its consequences.
What This Means For You
So, what does this mean for you, as a developer or founder? It means that you need to take secrets management seriously, and that you need to treat it as an identity problem, not a tooling problem. Because if you don’t, you’re putting your organization’s security at risk, and that’s not something you want to do. For example, you should rotate secrets regularly to minimize the impact of a breach, and you should also monitor for suspicious activity to detect potential security threats.
Imagine a startup that builds a continuous‑integration pipeline for mobile apps. The team stores API keys in environment variables that are checked into the repository during development. A compromised token lets an attacker clone the repo, inject malicious code, and push a new version to production. By enforcing identity‑centric controls—assigning each developer a unique token, requiring MFA on every pull, and rotating keys after each release—the same pipeline becomes resilient to that attack.
Consider a mid‑size enterprise with multiple product lines. Each line uses its own set of service accounts, and the security team struggles to keep track of which account accesses which database. By implementing a centralized identity platform that ties every secret to a user or service identity, the organization gains visibility into who touched which credential. When an anomaly surfaces—say, a service account accessing a data lake at odd hours—the alert can be correlated to the identity, and remediation can happen quickly.
Think about a consulting firm that manages client codebases for several customers. The firm often shares GitHub organizations across projects, making it easy for an engineer to accidentally expose a token while troubleshooting. If the firm adopts a policy of per‑project tokens, enforces least‑privilege scopes, and automates secret rotation after each ticket, the risk of accidental leakage drops dramatically.
And it’s not just about implementing new tools and technologies – it’s about creating a culture of secrecy, and ensuring that all employees understand the importance of secrets management, and that’s something that requires effort and commitment. Because when we get it right, we can prevent breaches like the one at Novo Nordisk, and that’s a goal worth striving for, especially on June 22, 2026.
As we look to the future, will organizations finally start to take secrets management seriously, or will we continue to see breaches like the one at Novo Nordisk, and that’s a question that only time will answer, but it’s one we should be thinking about.
Key Questions Remaining
Even with the best practices in place, several uncertainties linger. How will emerging development workflows—such as AI‑assisted code generation—affect the way secrets are embedded in code? What mechanisms will evolve to automatically detect and quarantine a leaked credential before it can be abused? Will regulatory bodies introduce explicit requirements for identity‑driven secret handling, or will the market self‑regulate through shared incident data?
Another open question is the balance between speed and security. Agile teams often prioritize rapid deployment, which can lead to shortcuts around credential management. Finding a workflow that satisfies both velocity and rigorous identity controls remains a challenge. Organizations that succeed will likely adopt adaptive policies that tighten controls only when risk spikes, rather than imposing static barriers that hinder innovation.
Finally, the human factor continues to be the most unpredictable variable. Training programs can raise awareness, but fatigue and complacency creep in over time. Measuring the effectiveness of cultural initiatives—beyond compliance checklists—will require new metrics that capture real‑world behavior. Until those metrics exist, companies will need to rely on continuous observation and iterative improvement.
Sources: Dark Reading, Cybersecurity News
