Recent cybersecurity incidents, such as the Nx “s1ngularity” and Shai-Hulud worm attacks, have highlighted the vulnerabilities in developer workflows, particularly around credential security. These events, which involved the unauthorized harvesting and misuse of credentials, prompted GitHub to implement stricter security measures for npm, focusing on short-lived, granular tokens and two-factor authentication (2FA) to reduce risk. The use of WebAuthn/FIDO 2FA for accounts with write access is encouraged to prevent phishing attacks and unauthorized access. Additionally, there's a push to replace long-lived tokens in automation with short-lived identity assertions via OpenID Connect (OIDC), which are more secure as they expire quickly, leaving nothing static to be exploited. The importance of setting deny-by-default configurations and explicit authorization for sensitive actions is emphasized to prevent configuration creep and ensure security defaults remain robust. Tools like GitGuardian offer solutions for identifying and managing hidden long-lived keys, enabling organizations to adopt these best practices more effectively. These security enhancements aim to ensure that compromised credentials do not become widespread issues across platforms and ecosystems.