A developer receives a LinkedIn message about a role. The coding assessment requires installing a package. That package exfiltrates GitHub tokens, AWS keys, and Azure credentials during installation. The attacker is inside the cloud environment within minutes.
Your email security never saw it. Your dependency scanner might have flagged the package. Nobody monitored what happened during the install.
CrowdStrike Intelligence documented this attack chain on January 29, tracking adversary groups that operationalized recruitment fraud at industrial scale. One unit has generated more than $2 billion through cryptocurrency operations, according to CrowdStrike's Adam Meyers. Success drove organizational specialization: what was one threat group is now three distinct units targeting crypto, fintech, and espionage.
In late 2024, attackers hit a European FinTech through recruitment-themed lures, delivered malicious Python packages, pivoted to cloud IAM configurations, and diverted cryptocurrency to adversary-controlled wallets. Entry to exit never touched corporate email.
The dependency scanner gap
CISA issued an advisory in September on widespread npm supply chain compromise targeting GitHub personal access tokens and AWS, GCP, and Azure API keys. JFrog identified 796 compromised packages in a self-replicating worm spreading through infected dependencies. Adversaries delivered malicious ZIP files via WhatsApp, a channel corporate email security doesn't monitor.
Dependency scanning catches the malicious package. That's the first control, and most organizations have it. Almost none have the second: runtime behavioral monitoring that detects credential exfiltration during package installation.
"When you strip this attack down to its essentials, what stands out isn't a breakthrough technique," Shane Barney, CISO at Keeper Security, said in analysis of a recent cloud attack chain. "It's how little resistance the environment offered once the attacker obtained legitimate access."
Google Cloud's Threat Horizons Report found weak or absent credentials accounted for 47.1% of cloud incidents in the first half of 2025, with misconfigurations adding 29.4%. Those numbers have held steady across consecutive reporting periods. This is chronic, not emerging.
What this means in practice
Sysdig documented an attack chain where compromised credentials led to full AWS admin access in eight minutes. Attackers with valid credentials don't need to exploit anything. They log in.
The industrial scale matters here. Adversaries are running this as a business model, complete with organizational specialization and revenue targets. They've abandoned email as an entry vector because personal messaging channels and social platforms work better. Traditional security stacks optimized for email-based threats miss the initial compromise entirely.
The real question is monitoring gaps between credential compromise and cloud IAM pivot. Most organizations can detect the malicious package. Few can detect what happens next.