Discovery finds it. Governance restricts it. Detection watches it. Response contains it. Every layer does its job correctly, and the same credential is still valid three systems away. This is the curse the design layer exists to break.
Every stage of incident response — discovery, patching, disclosure, rotation — does exactly what it's supposed to do, and none of them touch the credential itself until after it's already real and already capable of reaching whatever it was ever scoped to reach. That's the downstream trap: you can do everything right, on schedule, and the same key is still valid three systems away, in a sub-agent nobody knew existed, because nothing in the response pipeline was built to ask whether it needed to be real in the first place.
When JADEPUFFER reached a Langflow instance through a year-old patched vulnerability, it didn't create a new blast radius — it found the one that already existed: a default MinIO login, a default Nacos signing key, a root MySQL account. FortiBleed's hundreds of thousands of exposed devices weren't exploitable when the harvesting campaign started; they were exploitable the moment their credentials went unrotated, and the campaign simply found them. When Amazon Q's MCP vulnerability was patched, the fix added a consent step before a workspace file could spawn a process — it did nothing to change what that process inherits once consent is given: the real AWS keys, the real API tokens, the real SSH socket, exactly as before.
That's the trap, precisely: a patch is scoped to the vulnerability, not to the credential. It stops new access through one specific path. It cannot reach into every system that already trusted a credential the vulnerability exposed, because the patch doesn't know where that credential went — and by design, most systems don't ask. GitGuardian's own data shows the scale of this: 64% of credentials confirmed as leaked in 2022 were still active and exploitable in January 2026, four years later. That's not a rotation program failing occasionally — that's the downstream cascade continuing quietly, long after the original incident was closed and reported.
That question only gets answered before the incident, or it doesn't get answered. Full piece, with the JADEPUFFER, FortiBleed, Amazon Q, and ServiceNow timelines mapped out in detail, is on the DevFortress blog → devfortress.net/blog/the-downstream-trap
Try DevFortress:
→ Open-core platform (free, BUSL-1.1): github.com/duncan982/devfortress-core
→ SDK (free, BUSL-1.1): npm install devfortress-sdk
→ Textbook: DevFortress Master Edition — https://devfortress.gumroad.com/l/master-edition
→ Newsletter: devfortress.substack.com
DevFortress · Patent Pending — KIPI KE/P/2026/005970–005973
Top comments (0)