Skip to Main Content
Back to blog

Don’t bring exposed developer credentials to Black Hat

by Eric Eddy

July 9, 2026 - 6 min

Isometric illustration of the 1Password logo at the center of a network, connected by lines to floating icons representing SSH keys, API keys, an AI agent, and credential surfaces, set against a deep blue grid background.

Related Categories

Black Hat is where the security industry gathers to compare notes on what works. In recent years, supply chain attacks have been a recurring topic, and the 2026 Verizon Data Breach Investigations Report shows security teams are struggling to find a solution. According to the report, third-party involvement increased by 60% over the last year and now accounts for 48% of all breaches. These breaches are often the result of insecure authentication, such as missing MFA or improper credential rotation, and a lack of least-privilege enforcement for users or service accounts. Teams have spent years shifting left by hardening their supply chain with SBOM (software bill of material) tooling, package signing, and dependency scanners, but the pattern continues.

Supply chain attackers are successful because they know exactly where credentials land by default.  For many organizations, API keys land in .env files because that’s how the documentation shows it. AWS credentials live in ~/.aws/credentials because the CLI writes them there by default. Developers aren’t choosing to be reckless; they’re working with the tooling, documentation, and goals laid out for them, which sometimes create trade-offs that prioritize efficiency over security. Once a credential is out there, rotation requires knowing every system using it and coordinating a cutover without causing an outage. That operational complexity makes rotation a project most teams never get to, leaving the credential lurking in the dark, quietly, until something finds it.

Supply chain attackers have built their entire playbook around this reality. The malicious postinstall hook does not search. It enumerates hardcoded paths because every tool in the developer's stack writes credentials to the same location on every machine: .env in the working directory, ~/.aws/credentials, shell history, .npmrc, .pypirc. The compromised package installs cleanly, and the credentials are gone before your terminal prompt returns. 

These workflows won’t be solved by additional policy that creates additional tasks or leaves room for workarounds. At 1Password, we believe that the secure path should be the easy one. Shift left becomes reality when vaulting a credential takes less effort than dropping it in a .env file; teams will choose it by default. The malicious postinstall hook targeting credentials on disk finds nothing to exfiltrate.

That is the problem we are focusing on at Black Hat.

What you’ll see at our booth 4735

We could have run demos all week, instead, we built a fun competition. Put your skills to the test with “Operation: Harden the Build,” where you have 60 seconds on a live macOS terminal with a real 1Password vault and 10 security scenarios drawn from everyday DevSecOps failures. Can you secure the terminal? Winners will receive prizes and the notoriety of having their name on the conference leaderboard.

New products and features debuting at Black Hat 

Our live demo covers every stage of the developer secret lifecycle. Without changing how you build today, we’ll show you how to discover, secure, and broker credentials so they never sit in plaintext on a machine or in a pipeline environment. It also includes new product and feature releases from 1Password that show how removing credentials from the disk leaves the postinstall hook with nothing to exfiltrate.

1Password continues to expand its Environments capabilities across the developer credential surface, from local machines to CI/CD pipelines to AI agents. 1Password Environments loads secrets on demand, so the .env file isn't available to read. 

1Password Credential Broker, currently in private beta, eliminates standing pipeline credentials so workloads get access when they need it and lose it when the job is done. 

Secure Agentic Autofill delivers credentials in memory, scoped to the task for AI-coding agents, while the local MCP server connects directly to 1Password Environments, keeping raw values out of the AI context window.

Developer Watchtower scans your local disk for exposed SSH keys, flags what’s vulnerable, and walks you through remediation. By Black Hat, we will enhance Developer Watchtower to discover and vault even more developer secrets. 

Get a head start before you arrive

Today, 1Password discovers and vaults SSH keys already on disk, securing credentials before an attacker discovers them. SSH keys are one file type in a much wider plaintext credential surface on developer machines. We’re not stopping there, so come to our booth to see live what other developer credentials we are bringing into our discovery and vaulting scope.

1password.dev just shipped as our new developer home, with workflow-based getting-started guides and videos for every major tool area, from Environments to SSH, Git, the CLI, and SDKs for Go, JavaScript, and Python, as well as integrations. Each guide follows a clear path from setup to working integration, organized around how to build them rather than how the reference docs are structured.

If you build with AI coding assistants, the site serves llms.txt and llms-full.txt at the root, and every docs page is accessible as Markdown by appending .md to any URL. Cursor, Copilot, Windsurf, and Claude can pull 1Password documentation directly. Enter Ctrl+K on any page, ask in plain language, and get a direct answer with links to the relevant pages.

You can close most of the attack surface before you land in Vegas. 

Run 1Password Watchtower to surface credentials sitting on your machine and vault what it finds so your secrets are secured before Black Hat. Your Developer Watchtower score is a live measure of your credential attack surface. Find us at booth 4735 and tell any 1Password team member your Watchtower score to claim your prize. You don’t need to be an existing customer to start. Every plan includes a free 14-day trial at 1password.com. If you want to connect with the practitioners already building with our developer tools, join the developer community at 1password.dev/community.

Find us at Mandalay Bay

We will be there August 1 through 6. Bring your hardest supply chain scenario from the past year. That is the conversation we came to have.

The attacker knows what's on your disk. Do you?

Every 1Password plan includes a free 14-day trial. Run Developer Watchtower before Black Hat, vault what you find, and remember your score to claim your prize at booth 4735.

The attacker knows what's on your disk. Do you?

Every 1Password plan includes a free 14-day trial. Run Developer Watchtower before Black Hat, vault what you find, and remember your score to claim your prize at booth 4735.