Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | The AI Agent Credential Crisis: From Stealer Log to Source Code
Jul 09, 2026
16 Mins Read
Moon

The AI Agent Credential Crisis: From Stealer Log to Source Code

AI coding tools now hold credentials that reach into source code repositories, cloud infrastructure, CI/CD pipelines, and connected services all at once. A single compromised developer machine can expose an organization’s entire software supply chain.

Our research team analyzed stealer log data across major AI and developer platforms throughout 2025. We found over 3.1 million compromised credential records tied to OpenAI alone, with total exposure across all analyzed platforms exceeding 3 million accounts. Three malware families account for 86% of observed logs. The geographic spread covers every major region, following population size and internet adoption rather than AI market revenue.

The core problem is structural. Developers adopt AI tools on personal devices, reuse credentials, and authorize broad access scopes, often without IT visibility. Meanwhile, infostealer malware harvests everything on the machine without distinguishing personal from corporate. The result is credential exposure that most organizations cannot see and do not control.

Executive Summary

  • AI coding tools have become standard in the modern development workflow. These tools routinely hold credentials that grant access to source code, cloud infrastructure, deployment pipelines, and connected business services simultaneously. A single compromised developer machine can now serve as an entry point into an organization’s entire software supply chain.
  • Our research team analyzed credential exposure across major AI and developer platforms throughout 2025 and we identified over 3.1 million compromised credential records associated with OpenAI alone. Total exposure across all analyzed platforms exceeded 3 million accounts over the year. The geographic distribution spans every major region, with the top ten countries accounting for roughly 45% of observed victims and the rest spread across the world. Three malware families are responsible for 86% of all observed logs.
  • Two factors make this problem structural rather than episodic. First, the credential theft that feeds these markets is broad and automated, not targeted. Country rankings follow population size and internet adoption and not AI market revenue. Organizations do not need to be singled out to be affected. Second, developers increasingly use AI tools outside corporate security perimeters, on personal devices, with shared accounts and reused credentials, creating exposure that most organizations have limited visibility into.
  • Law enforcement operations in 2025 produced measurable but temporary results. The May 2025 Lumma takedown led to a 42% decline in observed volumes, but by Q4, the ecosystem had recovered to near-peak levels. The underlying infrastructure is resilient, commercially operated, and scaling alongside AI adoption.
  • Organizations should treat this as an access governance challenge, not just a credential hygiene issue. Priorities include auditing AI tool adoption across the developer workforce, enforcing separation between personal and corporate access paths, and establishing continuous monitoring for credential exposure in underground markets.

The Problem

A developer’s stolen username and password is a problem.

When that developer uses an AI coding agent connected to GitHub, GitLab, cloud infrastructure, and CI/CD pipelines, it is a bigger problem.

A single compromised credential today is connected to more apps and services than a developer’s entire toolchain five years ago.

At SOCRadar, we have tracked the stealer log landscape long enough to see it shift from a niche threat to an industrial-scale operation. Billions of stolen login credentials now circulate across Dark Web forums, with fresh logs feeding new records into this pool almost weekly.

When it comes to credential risk, most organizations treat them as a problem they can clean up and move past. But if the stealer malware is still on the system, every rotated password and updated username gets sent to the threat actor the moment it is created.

With that knowledge in mind, we should think about the adoption rate for AI coding tools, which is accelerating fast. These agents hold OAuth tokens, API keys, and session cookies that grant access far beyond what a simple password would.

What do you think is going to happen when stealer malware meets the new world of AI-powered development?

The Credential Supply Chain: From Infected Machine to Dark Web Marketplace

How Credentials Get Stolen

The primary vector is infostealer malware. These programs extract saved credentials, session cookies, authentication tokens, and configuration files from infected endpoints, then exfiltrate the data to attacker-controlled infrastructure. Common infection methods include trojanized software, malvertising campaigns, and fraudulent CAPTCHA verification pages. In most cases, the victim is not individually targeted.

The exfiltrated data is packaged into structured “stealer logs,” each representing the full credential footprint of a single compromised device. These logs are traded in bulk across Dark Web marketplaces and Telegram channels, where buyers can filter by target domain, geography, or credential type. The ecosystem operates on a service model, with separate actors handling malware development, distribution, and monetization.

Credential extraction cycle

Credential extraction cycle

What Gets Harvested

Modern infostealers do not just grab passwords. They extract:

  • Browser-saved credentials, autofill data
  • Active session cookies (which bypass MFA entirely)
  • Authentication tokens for GitHub, GitLab, AWS, Azure, and GCP
  • SSH keys and local configuration files
  • Cryptocurrency wallet data

The Geography of Infection

Infostealer campaigns are broad and indiscriminate. Operators distribute malware through pirated software repositories, malvertising networks, and compromised websites with the goal of infecting as many machines as possible. There is no pre-selected target. The targeting happens after the theft, not before.

Malware distribution dynamics

Malware distribution dynamics

Once logs are collected and listed on underground marketplaces, buyers can filter for what they need. A ransomware operator can search for VPN credentials, an initial access broker looks for cloud console sessions, and someone after source code can filter for GitHub or GitLab tokens.

This is why infections span every geography, industry, and company size. The patterns in stealer log data reflect where people are and what tools they use, not who the attackers intended to reach. A developer does not need to be a high-value target to get infected.

Geographical distribution of stealer logs related to ai supported developer tools

Geographical distribution of stealer logs related to ai supported developer tools

AI Coding Agents: The Multiplier Effect

Why Agent Credentials Are Different

A traditional stolen password gives access to one account. A stolen AI coding agent credential can be far more dangerous, because these agents are designed to interact with many systems simultaneously.

Consider what a typical AI coding agent (Claude Code, GitHub Copilot, Cursor, OpenAI Codex, or similar tools) holds during a working session:

  • Repository access: OAuth tokens scoped to every repository the developer authorized
  • Cloud credentials: AWS access keys, GCP service account tokens, Azure connection strings
  • CI/CD pipeline access: Tokens for GitHub Actions, Jenkins, CircleCI
  • Package registry credentials: npm, PyPI, Artifactory tokens
  • Environment variables: Database connection strings, payment processor API keys, third-party service secrets
  • MCP server connections: Integrations with Slack, Jira, Sentry, and dozens of other services

Credential exposure between AI agents and traditional systems

Credential exposure between AI agents and traditional systems

Shadow AI

Most organizations have limited visibility into which AI tools their developers are actually using. Developers adopt Cursor, Copilot, Replit, Claude Code, and similar tools because they increase productivity. In many cases, this happens without IT approval, without centralized credential management, and without endpoint security policies covering the tool.

The risk compounds when you account for how developers actually work. Most write code outside of their employment: side projects, open source, freelancing, experimentation. The AI tools they use for personal work are often the same ones they use at work, sometimes on the same accounts, sometimes with the same passwords. When a developer’s personal device is infected, and that device holds credentials that overlap with their corporate environment, the organization is exposed through an endpoint it does not control and may not know exists.

Infostealer malware does not distinguish between a personal machine and a work machine. It harvests everything. Among the stolen credentials can be logins for an AI coding tool that also holds OAuth tokens to the company’s GitHub organization, cloud console, or CI/CD pipeline. Those credentials appear on a Dark Web marketplace; a buyer filters for corporate domains, and the organization is compromised through a device that was never under its security perimeter.

Possible ways accounts can overlap and create risks:

  • Same AI tool, same account: A developer uses one Cursor or Copilot account for both personal projects and corporate work. One compromised session exposes both environments.
  • Reused passwords: The password for a personal GitHub account is the same as the one for the corporate GitHub organization, cloud console, or internal tools.
  • Synced browser profiles: Chrome or Edge sync carries saved passwords, session cookies, and autofill data across personal and work devices. An infection on one device harvests credentials for both.
  • Personal GitHub account with corporate org access: A developer uses their personal GitHub account to access the company’s private repositories. The account lives on their personal machine, outside corporate endpoint protection.
  • Shared API keys in local config files: .env files, .claude/settings.json, or MCP configs on a personal laptop contain tokens scoped to corporate infrastructure.
  • Same AI tool with corporate OAuth grants: A personal Cursor or Claude Code installation holds OAuth tokens authorized against the company’s GitHub org, Jira, or Slack. The developer authorized the scope once and forgot about it.
  • Shared machines at home: A developer’s personal computer is also used by family members. The infostealer arrives through someone else’s download, but harvests the developer’s stored credentials.

Stealer Log Exposure Across AI Platforms: What the Data Shows

Our research team analyzed credential exposure across major AI and developer platforms, filtering stealer log records by registered domain, geographic origin, malware family, operating system, and time period to build a detailed picture of how AI tool credentials circulate in underground markets.

The data we present in the following sections covers the full calendar year of 2025. We examine which AI platforms carry the highest credential exposure, how that exposure distributes across countries, which infostealer families account for the majority of harvested records, and how infection volumes shifted quarter by quarter.

Distribution of Stealer Logs by Application

Distribution of Stealer Logs by Application

Distribution of Stealer Logs by Application

Among the selected services and applications, OpenAI dominates the dataset with over 3.1 million compromised credentials, more than 15 times the next closest platform. This concentration reflects both OpenAI’s market share and the fact that openai.com captures both ChatGPT consumer logins and API developer accounts.

Below the OpenAI peak, a second tier of platforms emerges that maps directly to the modern AI-assisted development workflow. Replit (204K) and Hugging Face (186K) are platforms where developers build, train, and deploy code and models. Credentials for these services often carry write access to repositories, datasets, and deployment pipelines. RunwayML (95K), while primarily a creative AI tool, follows a similar pattern: authenticated sessions that link to cloud storage, project files, and billing infrastructure.

These are small numbers compared to OpenAI’s millions, but each one represents a high-value developer endpoint with broad lateral access potential.

Distribution of Stealer Logs by Time

Distribution of Stealer Logs by Time

Distribution of Stealer Logs by Time

The quarterly distribution follows a U-shaped pattern across 2025, with peak volumes in Q1 (953K) and Q4 (857K) separated by a significant mid-year dip that bottoms out in Q3 (553K). Total volume across the year exceeds 3 million compromised accounts tied to AI and developer platforms.

We assess that the Q1 spike reflects two converging factors. First, the early months of 2025 saw aggressive AI tool adoption across the developer community, with platforms like OpenAI, Replit, and Hugging Face onboarding users at record pace. More signups mean more credentials stored in browsers, and more credentials stored in browsers mean more harvest for infostealers already running on infected machines. Second, the dominant stealer families at the start of 2025, particularly LummaC2 and Vidar, were operating at full capacity with mature distribution networks and established marketplace channels.

The drop from Q1 to Q3, a 42% decline, aligns with a well-documented disruption event. In May 2025, a coordinated law enforcement operation neutralized thousands of LummaC2 command-and-control domains. Lumma was the most widely deployed infostealer at the time. The takedown did not kill the operation permanently, but it created several months of reduced output as operators migrated to bulletproof hosting, rebuilt infrastructure, and adopted new evasion techniques. The Q2 and Q3 numbers bear the signature of that disruption.

The Q4 recovery to 857K shows how temporary these wins tend to be. By late 2025, Lumma operators had reconstituted their networks, and newer families like Acreed and MacSync were filling the gap.

Distribution of Stealer Logs by Country

Distribution of Stealer Logs by Country

Distribution of Stealer Logs by Country

The country distribution is dominated by nations with large populations and high internet adoption rather than the largest AI markets by revenue. This is consistent with how stealer log infections actually work: they follow exposure to risky downloads, not the strategic value of the victim.

  • India sits at the top with just over 10% of observed records. We attribute this to the size of its developer base and the prevalence of freelancers working from personal machines.
  • Brazil, Indonesia, Vietnam, the Philippines, and Pakistan follow the same pattern: fast-growing tech populations, high desktop and mobile usage, and broad exposure to the consumer-grade infection vectors that drive stealer campaigns.
  • The United States, at just under 6%, ranks lower in volume but carries disproportionate weight per credential given the concentration of enterprise accounts and privileged cloud access on US developer machines.
  • Egypt, Turkey, and France each fall in the 2% to 3% range, with France standing as the only Western European country in the top ten.

These listed countries collectively account for roughly 45% of observed victims, meaning the majority of exposure is distributed across the rest of the world. This geography reflects where the malware happens to land and many of the countries at the top share a structural condition worth noting: large and growing AI developer communities paired with limited access to enterprise security tools, managed devices, or corporate endpoint protection.

Distribution of Stealer Logs by Country

Distribution of Stealer Logs by Country

Distribution of Stealer Logs by Country

Lumma (also tracked as LummaC2) accounts for over 56% of the observed logs. It is currently the most widely deployed infostealer globally, distributed under a subscription-based malware-as-a-service model and actively maintained with frequent updates designed to evade evolving browser-level protections. Its dominance in this dataset does not indicate a specialized focus on AI or developer platforms. Rather, it reflects Lumma’s overall market share across the stealer ecosystem.

RedLine follows at just under 17%. RedLine held the leading position across stealer log marketplaces for several years before being displaced by Lumma. Its continued presence in our dataset indicates that legacy infections are still producing actionable logs, and that a portion of operators maintain established tooling rather than migrating to newer alternatives.

StealC accounts for approximately 13%, completing the top three. Collectively, Lumma, RedLine, and StealC represent roughly 86% of all logs observed in our analysis. This level of concentration is consistent with what we observe across other credential categories. These three families dominate stealer log output globally, and their prevalence in AI platform exposure is a function of their overall operational footprint rather than any deliberate targeting of developer environments.

Distribution of Stealer Logs by Operating System

Distribution of Stealer Logs by Operating System

Distribution of Stealer Logs by Operating System

Out of roughly 704.000 infected machines in the dataset, more than 691.000 are running some version of Windows, which is over 98%. The “Other” category, which covers macOS, Linux, and anything else, sits at less than 2 percent. Windows dominate the infected population in our dataset.

This doesn’t tell us exactly what operating system developers generally prefer since stealer malware skews heavily toward Windows, and not every victim is a developer. But it does indicate that compromised AI tool credentials overwhelmingly originate from Windows machines.

That said, developers using AI platforms are not a separate, more secure population than general consumers. They use the same operating systems, the same browsers, and the same password managers, and they are infected through the same vectors. This data therefore serves as a reasonable picture of the broader risk landscape.

What Organizations Should Do

  • Treat the endpoint, not just the credential. Credential rotation does not resolve the risk while stealer malware remains active on a device. When a credential appears in a stealer log, the response should begin with endpoint isolation and remediation. Rotation comes after.
  • Gain visibility into AI tool adoption. Security teams should audit which AI coding tools developers use, how those tools authenticate, and what access scopes they hold, particularly OAuth grants connected to repositories, cloud infrastructure, and CI/CD pipelines.
  • Separate personal and corporate access paths. Enforce dedicated corporate accounts for AI tools, prohibit the use of personal GitHub accounts for organizational repository access, and restrict authentication to managed devices through conditional access policies.
  • Scope agent permissions to the minimum required. Every OAuth grant, API key, and MCP integration connected to a coding agent should be reviewed and reduced to the narrowest scope necessary for the task.
  • Monitor for stealer log exposure continuously. Fresh logs enter underground markets weekly. Organizations should integrate stealer log monitoring into security operations, with automated alerts when corporate domains or employee credentials appear in newly indexed logs.
  • Prioritize detection for dominant malware families. Three families, Lumma, RedLine, and StealC, account for 86% of observed logs. Aligning detection rules and threat intelligence feeds to these families addresses the majority of the credential risk.
  • Extend security requirements to external developers. Credential exposure is concentrated in countries with large freelance communities. Organizations relying on third-party developers should extend credential monitoring and endpoint security policies beyond internal employees.

Conclusion

The Dark Web credential economy and the AI coding agent revolution are on a collision course. Every developer credential that appears in an infostealer log is now a potential key to entire source code repositories, cloud infrastructure, and production environments. The geographic spread of infostealer infections, concentrated in countries with large and growing developer populations, means this is a global problem with no regional safe zone.

The organizations that survive this threat will be the ones that treat developer machine security, agent identity governance, and credential lifecycle management as interconnected parts of the same problem. The window between credential theft and exploitation is shrinking. In many documented cases, it is measured in hours.