A Hacked npm Package Shows Why German Companies Can’t Afford to Ignore Employee Offboarding

When attackers breached the official npm registry in late May 2026, they didn’t exploit a zero-day vulnerability. They used the login credentials of a former employee. The “Miasma” supply-chain attack, as it became known, poisoned legitimate packages and spread through the software ecosystem. The method was simple, the consequence severe — and entirely preventable.

That incident has thrown a harsh light on a problem that most German employers already know exists but seldom fix. According to industry data from 2026, only 2.6 percent of all permissions granted to employees are ever actually used. The rest sit dormant, often in accounts belonging to people who left the company months or years earlier. Every unused credential is a door left ajar.

Record turnover meets unprepared managers

The risk multiplies as worker mobility rises. The HR Works termination report for 2026 puts Germany’s overall separation rate at 30 percent — a record high, up from 19 percent in 2021. Retail is especially volatile, with voluntary resignations running at 18 percent. Nearly half of all departures across the economy occurred in the 2024–2025 period alone.

Yet most organisations still lack a structured way to handle the exit process. Kienbaum’s „Trennungsmanagement 4.0“ study found that only two out of three companies operate a dedicated separation strategy. The gap is most acute among line managers: 66 percent say they feel poorly prepared to conduct termination meetings.

A fair offboarding procedure matters directly to employer brand and the trust of remaining teams, experts argue. Communication, appreciation and honesty rank as the three pillars of a good process. At the same time, employment contracts and supplementary agreements must be managed lawfully across the entire lifecycle — from creation to archiving — otherwise deadlines slip or GDPR violations occur.

GitLab cuts 14 percent, restructures R&D

The urgency of professional offboarding is not limited to small or mid-sized firms. GitLab announced it would eliminate roughly 350 positions, representing 14 percent of its workforce. The company cited a flattening of hierarchies and a reorganisation of its research and development divisions. Restructuring costs are estimated at $30 million to $35 million.

Mass layoffs of this scale require precise control over system access rights. When that control fails, as the Miasma attack showed, the damage can ripple far beyond the company itself.

NIS-2 raises the legal bar

The European NIS-2 directive now demands that companies demonstrate verifiable, reliable processes for — among other things — disabling accounts after an employee leaves. It is no longer enough to promise that something will happen; firms must prove it.

A separate layer of risk comes from artificial intelligence. A study by Zscaler found that 59 percent of German companies neglect the risks associated with AI. Employees increasingly use tools such as ChatGPT or autonomous AI agents. When they leave the organisation, those data streams and shadow-AI applications must also be shut down. The German Research Center for Artificial Intelligence (DFKI) has developed a browser extension called „Privacy Guardrail“ that aims to anonymise sensitive information before it ever reaches an AI model.

Taken together, the combination of record turnover, regulatory pressure and weaponised AI means that offboarding can no longer be an afterthought. In 2026, a messy exit is not just a reputational problem — it is a security incident waiting to happen.

en | boerse | 69490630 |