Secrets & Credential Leaks
Secrets management and credential leak prevention address one of the most common and impactful security failures in modern software development. Hardcoded API keys, database passwords, cloud credentials, and private keys regularly appear in source code repositories, CI/CD configurations, container images, client-side JavaScript, and log files. Tools like TruffleHog, GitLeaks, and GitHub Secret Scanning detect exposed credentials in repositories, while vault solutions like HashiCorp Vault, AWS Secrets Manager, and cloud KMS services provide secure runtime secret injection. The impact of leaked credentials can be devastating — exposed AWS keys can lead to full cloud account compromise within minutes, and leaked database credentials can result in complete data breaches. Prevention requires secrets scanning in CI/CD pipelines, pre-commit hooks, environment-based secret injection, and credential rotation policies.
| Date Added | Link | Excerpt |
|---|---|---|
| 2026-06-20 NEW 2026 | 5 Node.js security code snippets every backend developer should know beginner 11 min read | Library offering Node.js security code snippets covering the Permissions Model for restricting resource access, exemplified by preventing command injection in packages like `pdf-image`, and input validation using Fastify JSON schemas to mitigate SSRF and HTTP parameter pollution. It also touches upon secure password hashing with Bcrypt, and integrating tools like the Snyk VS Code extension to detect vulnerable dependencies. → snyk.io |
| 2026-06-20 NEW 2026 | Threat Brief: Mitigating Large-Scale Credential Attacks beginner 4 min read | Threat brief on "FortiBleed," a large-scale credential attack campaign targeting Fortinet, MSSQL, and Sophos devices, involving password spraying, configuration extraction, and offline cracking. The brief details threat actor techniques, recommends auditing remote access logs, and provides hardening guidelines such as requiring MFA, adopting Zero Trust Architecture, changing default credentials, disabling unused accounts, and updating software. Palo Alto Networks customers can leverage product protections and consulting services to defend against these attacks. → unit42.paloaltonetworks.com |
| 2026-06-19 NEW 2026 | The full Snyk AI Security Platform, free for open source maintainers news 3 min read AI | Library offering open source maintainers free access to the Snyk AI Security Platform. This program prioritizes risk-based vulnerability management and automated remediation, including the Snyk Remediation Agent which generates validated, merge-ready fixes for Snyk Open Source and Snyk Code issues, aiming to accelerate the fixing process and combat rapidly shrinking exploit timelines. → snyk.io |
| 2026-06-18 NEW 2026 | CISA Credentials Sensitive Data Exposed in GitHub Repository news | CISA has announced that sensitive data, including credentials, was exposed in a GitHub repository. The agency is investigating the incident, which was discovered on October 26th. CISA states that this data exposure did not impact their operational systems or compromise their mission-critical functions. Further details regarding the scope and specific nature of the exposed data have not yet been released. → securityboulevard.com |
| 2026-06-18 NEW 2026 | Under the Radar: Exploring Spring Boot Actuator Misconfigurations intermediate 10 min read RCE | Library for analyzing Spring Boot Actuator misconfigurations that can expose sensitive data like environment variables and API keys, or even lead to remote code execution (RCE) through vulnerabilities like CVE-2022-22947 in Spring Cloud Gateway. It details common weaknesses such as publicly accessible heap dump files and gateway endpoints, which are prevalent in cloud environments and pose significant risks for initial access and lateral movement. → wiz.io |
| 2026-06-18 NEW 2026 | The many ways to obtain credentials in AWS intermediate 5 min read AuthN | Library detailing numerous methods for obtaining AWS credentials, including IAM role credentials via the Instance Metadata Service (IMDSv1/v2), AWS SDK credential providers (environment variables, credential files), container credential URIs for ECS/EKS, EKS Pod Identities, IRSA, IoT certificate-based authentication, IAM Roles Anywhere, Cognito's GetCredentialsForIdentity, and Datasync's certificate authentication. → wiz.io |
| 2026-06-18 NEW 2026 | Snyk Code now secures AI builds with support for LLM sources beginner 2 min read AI | Library for securing AI builds, Snyk Code now tracks data flows from LLM sources including OpenAI, HuggingFace, Anthropic, and Google. It performs taint analysis to detect untrusted data originating from LLM libraries, flagging potential vulnerabilities such as prompt injections leading to SQL injection or XSS. Any data returned from a supported LLM library is now treated as a source, ensuring developers are alerted to risks when integrating AI components. → snyk.io |
| 2026-06-18 NEW 2026 | Finding and fixing exposed hardcoded secrets in your GitHub project with Snyk intermediate 4 min read | Library for scanning Node.js projects for exposed hardcoded secrets and credentials, demonstrated with the Snyk goof project. It utilizes Snyk to identify vulnerabilities and then refactors code to leverage Doppler for centralized secret management, preventing secrets from being pushed to GitHub and enabling environment-specific configurations. The process involves adding secrets to Doppler and updating application code to use environment variables injected via the Doppler CLI. → snyk.io |
| 2026-06-17 NEW 2026 | Wiz Research Uncovers Exposed DeepSeek Database Leaking Sensitive Information, Including Chat History news 4 min read | Analysis of a publicly accessible ClickHouse database linked to DeepSeek, discovered by Wiz Research, reveals extensive exposure of sensitive information including over a million lines of chat history, secret keys, and backend details. This unauthenticated exposure allowed full control over database operations and potential privilege escalation, highlighting the critical risks of rapid AI adoption without corresponding infrastructure security. → wiz.io |
| 2026-06-17 NEW 2026 | GitHub Action tj-actions/changed-files supply chain attack: everything you need to know intermediate 6 min read Supply Chain | Library for identifying and mitigating the CVE-2025-30066 supply chain attack affecting the tj-actions/changed-files GitHub Action. This attack, potentially linked to reviewdog/action-setup, injected malicious code that leaked secrets from affected repositories into workflow logs. The compromise leveraged a compromised GitHub personal access token for the tj-actions bot. Mitigation involves rotating leaked secrets, removing references to the compromised action, and pinning future dependencies to specific commit hashes. → wiz.io |
| 2026-06-17 NEW 2026 | New GitHub Action supply chain attack: reviewdog/action-setup news 6 min read Supply Chain | Analysis of a GitHub Action supply chain attack targeting reviewdog/action-setup@v1 reveals a potential precursor to the tj-actions/changed-files compromise. This attack injected malicious code into CI workflows, dumping secrets from runner memory. Evidence suggests this impacted Coinbase, though their attempt was unsuccessful. Mitigation involves checking workflow logs for double-encoded base64 strings and rotating any exposed secrets, particularly custom ones. → wiz.io |
| 2026-06-17 NEW 2026 | Want to avoid a data breach? Employ secrets detection beginner 10 min read | Library for detecting secrets like API keys, passwords, and tokens in application code. It employs sophisticated patterns and regex to identify potentially exposed sensitive data, preventing data breaches. The library integrates with IDEs for real-time feedback and can be incorporated into CI/CD pipelines to fail builds upon secret detection, mitigating risks like unauthorized access, regulatory non-compliance, and loss of competitive advantage. → snyk.io |
| 2026-06-17 NEW 2026 | Multiple JetBrains IDE plugins caught stealing AI keys news 5 min read Supply Chain | Library detailing a coordinated malware campaign impacting the JetBrains Marketplace. At least 15 IDE plugins, disguised as AI coding assistants, exfiltrate user-provided AI provider API keys (e.g., OpenAI, DeepSeek) to a hardcoded attacker-controlled server at 39.107.60[.]51. These plugins, published under seven vendor accounts and collectively installed nearly 70,000 times, bypass manual review by embedding malicious logic within otherwise functional features. The campaign, active since late 2025, also includes a paid tier where attackers resell stolen API keys. → aikido.dev |
| 2026-06-17 NEW 2026 | Extending Our Mission With Developer Endpoint Protection beginner 5 min read | Library extending ggshield for developer endpoint protection, it finds credentials on developer machines, including those accumulated in shell histories, config files, and AI agent artifacts. It employs local scanning, honeytokens for live attack detection, and integrates with enterprise deployment workflows, MDM solutions, and SIEM systems to secure the growing attack surface presented by AI coding agents like Cursor and GitHub Copilot. → blog.gitguardian.com |
| 2026-06-16 NEW 2026 | Securing Cloud Databases: Best Practices with ClickHouse and Wiz beginner 13 min read | Library for securing ClickHouse databases, this resource details best practices and out-of-the-box security controls in light of incidents like the Deepseek AI breach. It highlights the importance of TLS encryption, administrator account authentication, and strict authorization policies, addressing misconfigurations such as publicly exposed instances without restrictions and default users without passwords. The library also covers ClickHouse's built-in features like RBAC and provides guidance to prevent data exposure in cloud environments. → wiz.io |
| 2026-06-16 NEW 2026 | Gitguardian Agent Skills: Secret Detection and Remediation For AI-Assisted Development beginner 9 min read AI | Library of open-source GitGuardian Agent Skills designed to teach AI coding assistants secret detection and remediation workflows. These skills provide agents with playbooks for using the `ggshield` CLI and GitGuardian MCP server, covering tasks like scanning repositories for secrets, creating decoy credentials with honeytokens, auditing local machines, checking for leaked secrets using HasMySecretLeaked, and installing Git hooks to prevent secrets from entering history. The skills translate developer concerns into actionable security steps, ensuring consistent and audited security guidance within AI-assisted development environments. → blog.gitguardian.com |
| 2026-06-15 NEW 2026 | Leaking Secrets in the Age of AI beginner 8 min read AI | Survey of AI-related secret leakages in public code repositories, highlighting that AI secrets constitute a disproportional majority of findings. It identifies Python notebook (.ipynb) files as a significant source of exposed secrets due to their mixed content and execution output, and notes pervasive leaks in `mcp.json` and AI agent config files for vendors like OpenAI and Anthropic. The analysis also points out gaps in current secrets scanning industry coverage, particularly with emerging AI vendor secrets. → wiz.io |
| 2026-06-15 NEW 2026 | New Year, New Security Goals: Improve Your AppSec in 2025 beginner 3 min read AI | Library for enhancing application security in 2025, Snyk's auto-fix capabilities automate vulnerability remediation across code, dependencies, containers, and IaC. It emphasizes a balance of AI speed with human expertise, offering actionable insights and seamless integration into development workflows, while also highlighting the importance of securing AI-generated code and AI models against threats like poisoning and adversarial attacks. → snyk.io |
| 2026-06-14 2026 | A new type of long-lived key on AWS: Bedrock API keys beginner 6 min read | Reference analyzing long-lived and short-lived AWS Bedrock API keys. It details how long-lived keys are tied to IAM Users, potentially bypassing existing SCPs, and over-privileged by default with the `AmazonBedrockLimitedAccess` policy. Short-lived keys are generated client-side via presigned URLs and a new `bedrock:CallWithBearerToken` API. Both key types use a bearer token in the HTTPS header, unlike the typical sigv4. The entry notes these keys have already appeared in public GitHub repositories and recommends SCPs to deny `bedrock:CallWithBearerToken` to mitigate risks. → wiz.io |
| 2026-06-14 2026 | Secrets Found. Owners Identified. Issues Fixed. intermediate 4 min read | Library for detecting, prioritizing, and remediating secrets exposure across the SDLC, combining code scanning, cloud workload analysis, and vault data with blast radius context and AI-powered fixes. It validates findings against providers like GitHub and OpenAI, maps secrets to owners, and offers AI-generated remediation guidance, integrating directly into developer workflows. → wiz.io |
| 2026-06-14 2026 | From Compromised Keys to Phishing Campaigns: Inside a Cloud Email Service Takeover beginner 7 min read AuthN | Analysis of a May 2025 SES abuse campaign reveals attackers compromising AWS access keys to escape Amazon Simple Email Service's sandbox. This involved multi-regional `PutAccountDetails` requests to gain production mode, followed by verifying attacker-owned and weakly protected legitimate domains. The campaign leveraged these to send phishing emails referencing tax forms, directing victims to credential theft sites masked by a traffic analysis service, highlighting the risks of SES misuse for large-scale phishing and monetizing leaked credentials. → wiz.io |
| 2026-06-14 2026 | Reconstructing the TJ Actions Changed Files GitHub Actions Compromise news 7 min read Supply Chain | Analysis of the tj-actions/changed-files GitHub Actions compromise details how attackers leveraged orphaned Git commits and re-pointed release tags to inject malicious code. This code, when executed within a GitHub Action workflow, interrogated process memory to extract and exfiltrate encrypted secrets, exposing them in public action logs. The attack vector highlights the risks associated with compromised CI/CD pipelines and the importance of validating the integrity of trusted third-party actions. → snyk.io |
| 2026-06-13 2026 | Old Passwords Die Hard: Abusing CREDHIST for offline credential recovery intermediate | Researchers have discovered a vulnerability called CREDHIST that allows attackers to recover old, forgotten passwords from systems. This exploit targets the credential history stored on compromised machines, enabling offline brute-force attacks to uncover plaintext passwords. The technique bypasses typical security measures designed to prevent such password recovery. Details of this vulnerability and its implications for security were presented, highlighting the risks associated with improperly managed credential storage. |
| 2026-06-13 2026 | Dismantling a Critical Supply Chain Risk in VSCode Extension Marketplaces news 7 min read Supply Chain | Writeup detailing a critical supply chain risk in VSCode extension marketplaces reveals over 550 validated secrets, including AI provider secrets, high-risk platform credentials for AWS and GitHub, and database secrets, leaked by publishers. Most alarmingly, over a hundred access tokens granting extension update privileges were found, potentially allowing attackers to distribute malware to hundreds of thousands of users across both VSCode and Open VSX marketplaces. The research identified dotfiles, .env files, and hardcoded credentials in source code as common leakage sources, prompting platform-level improvements and a notification campaign for impacted publishers. → wiz.io |
| 2026-06-13 2026 | Exposure Report: 65% of Leading AI Companies Found with Verified Secret Leaks news 6 min read AI | Analysis of 50 leading AI companies reveals that 65% have verified secret leaks on GitHub, including API keys and sensitive credentials. These exposures were found not only in public repositories but also in deleted forks, gists, and developer accounts, often missed by traditional scanners. Notable leak cases involve companies like ElevenLabs and LangChain, with exposed API keys potentially granting access to organizational structures, training data, or private models. The findings highlight the critical need for robust secret scanning and secure development practices as AI companies scale. → wiz.io |
| 2026-06-12 2026 | Introducing Posture Issues: Transform Security Findings into Actionable Outcomes beginner 4 min read Bug Bounty | Framework for managing security debt, Posture Issues consolidate findings within a single domain like vulnerabilities or secrets, transforming unmanaged backlogs into structured remediation projects. This approach facilitates meeting compliance requirements and SLAs, tackling large volumes of non-critical findings, and consolidating remediation efforts for improved security hygiene and long-term resilience, complementing existing Risk Issues for immediate threat mitigation. → wiz.io |
| 2026-06-12 2026 | Code to Cloud Attacks: From Github PAT to Cloud Control Plane intermediate 7 min read Supply Chain | Writeup detailing threat actor techniques for exploiting compromised GitHub Personal Access Tokens (PATs) to gain unauthorized access to cloud environments. This includes discovering secrets within code using GitHub's API, executing malicious code via GitHub Actions, and exfiltrating cloud credentials. Attackers then leverage these credentials for cross-cloud lateral movement and defense evasion by deleting workflow logs. The writeup highlights risks associated with storing CSP credentials in GitHub Actions Secrets and plain-text keys in repositories, referencing supply-chain attacks like tj-actions and Shai-Hulud. → wiz.io |
| 2026-06-12 2026 | When “Private" Isn't: The Security Risk of GPT Chats Leaking to Search Engines news 3 min read AI | Analysis of ChatGPT chat indexing by Google, Bing, and DuckDuckGo in July 2025, where a discoverability feature for shared links unintentionally exposed sensitive user conversations. This event highlights risks from insecure defaults and UI consent failures in LLM platforms, mirroring past incidents with Google Bard. Mitigation strategies include disabling search engine discoverability by default, improving UI warnings, and organizational adoption of enterprise LLMs and DLP tools. → snyk.io |
| 2026-06-11 2026 | Snipping the Long Tail of Shai-Hulud 2.0 advanced 6 min read | Analysis of the Shai-Hulud 2.0 worm reveals its persistence through mechanisms like private registries, cached packages, and a lingering OpenVSX IDE extension (asyncapi-preview v1.0.1). This "long tail" of infections impacted over ⅓ of the Fortune 100, with leaked credentials remaining valid, potentially linking to the Trust Wallet $7M exploit due to shared exfiltrated GitHub and Web Store credentials, and similar naming conventions. Wiz Research "snipped the tail" by coordinating a clean OpenVSX extension update. → wiz.io |
| 2026-06-11 2026 | Hacking Moltbook: The AI Social Network Any Human Can Control intermediate 8 min read AI API Sec | Writeup of Moltbook's Supabase misconfiguration, detailing how exposed API keys allowed unauthenticated read and write access to millions of API authentication tokens, 35,000 email addresses, and private messages. The vulnerability also revealed an 88:1 agent-to-human ratio and exposed plaintext OpenAI API keys within agent conversations, echoing previous issues like the DeepSeek data leak and Base44 Authentication Bypass. → wiz.io |
| 2026-06-11 2026 | Wiz + Spotify Backstage: Security at the Developer’s Desk beginner 3 min read | Plugin for Spotify Backstage that integrates Wiz Issues and Vulnerabilities, mapping Wiz Projects to Backstage components. Developers can search findings by rule, resource, or CVE, view vulnerability counts and severity, and seamlessly jump into Wiz for deeper investigation and remediation, bringing security context directly to the developer's workflow. → wiz.io |
| 2026-06-11 2026 | npm Supply Chain Attack via Open Source maintainer compromise news 3 min read Supply Chain | Writeup detailing an npm supply chain attack where a maintainer's account was compromised via a phishing email. The attacker injected malicious code into popular npm packages, targeting crypto transactions by intercepting and modifying ETH value transfers and wallet approvals. The attack leveraged social engineering and bypassed security controls, impacting users who installed compromised package versions. Snyk provides tools like SCA and SBOM to detect and monitor affected projects, and a "Featured Zero-Day" report is available for Enterprise users. → snyk.io |
| 2026-06-11 2026 | Zero-day Extensive NPM Package Compromise - Shai Hulud Supply Chain Attack news 5 min read Supply Chain | Analysis of the Shai-Hulud npm supply chain attack, which compromised hundreds of packages including @ctrl/tinycolor and ngx-bootstrap, detailing malicious `postinstall` scripts designed to exfiltrate cloud credentials and API keys. The attack leveraged GitHub Actions for data exfiltration and persistence, with affected versions like `ngx-bootstrap` 20.0.4-20.0.6 requiring immediate remediation, secret rotation, and system rebuilding. → snyk.io |
| 2026-06-11 2026 | Compromised Rust crate onering performs code exfiltration news 3 min read Supply Chain | Analysis of a compromised Rust crate, "onering" (version 1.4.1), reveals a `build.rs` script designed for code exfiltration. This script harvests Git data, including the source code of the most recent commit, from the host project and exfiltrates it to a Sentry ingest endpoint disguised as telemetry. The compromise affects both the crates.io package and the maintainer's GitHub repository. → aikido.dev |
| 2026-06-11 2026 | You Can't Secure What You Can't See: Making Non-Human Identities Governable beginner 4 min read AuthN | Library for governing non-human identities, GitGuardian NHI Governance provides a centralized, searchable inventory of machine identities across secrets managers, CI/CD, cloud IAM, Kubernetes, and SaaS platforms. It surfaces NHIs with their source, path, environment, risk level, and ownership status, enabling continuous governance by identifying public leaks, internal leaks, cross-environment secrets, reused credentials, long-lived secrets, and overprivileged identities. This context allows teams to understand dependencies before revoking or rotating credentials, shifting from reactive incident response to proactive security. → blog.gitguardian.com |
| 2026-06-10 2026 | Keeping Secrets Out of Logs beginner 29 min read | Library of techniques for preventing sensitive data, such as API keys, PII, and passwords, from being logged. This resource details common causes of secrets appearing in logs, including direct logging, "kitchen sink" objects, and configuration changes that expose debug-level information. It emphasizes that preventing secrets in logs requires a multi-layered defense-in-depth approach rather than a single solution. |
| 2026-06-10 2026 | KICS GitHub Action Compromised: TeamPCP Strikes Again in Supply Chain Attack news 7 min read Supply Chain | Writeup detailing the supply chain attack on the KICS GitHub Action by TeamPCP, which involved credential-stealing malware targeting users between March 23rd and 24th UTC. The attack, similar to a previous one on Trivy, compromised 35 tags and leveraged a compromised service account to push malicious commits. The malware exfiltrates secrets via AES-256-CBC encryption, using the same RSA public key as the Trivy incident, and introduces a new Kubernetes-focused persistence mechanism. The report also notes concurrent compromises of OpenVSX extensions, cx-dev-assist and ast-results. → wiz.io |
| 2026-06-10 2026 | Three’s a Crowd: TeamPCP trojanizes LiteLLM in Continuation of Campaign news 3 min read Python Supply Chain | Analysis of TeamPCP's supply chain attack targeting LiteLLM versions 1.82.7 and 1.82.8, which abuse Python's `.pth` file mechanism for stealthy persistence and exfiltrate cloud credentials, CI/CD secrets, and keys to attacker-controlled domains like `checkmarx[.]zone` and `models[litellm][.]cloud`. This attack follows TeamPCP's prior compromises of Trivy, Checkmarx GitHub Actions, and OpenVSX extensions. → wiz.io |
| 2026-06-10 2026 | Tracking TeamPCP: Investigating Post-Compromise Attacks Seen in the Wild news 5 min read Supply Chain | Writeup detailing post-compromise activities by the TeamPCP threat actor group, following supply chain attacks on Trivy, KICS, and LiteLLM. The analysis reveals TeamPCP's use of stolen cloud credentials and secrets, validated with tools like TruffleHog, to perform internal discovery across AWS services such as IAM, EC2, and ECS. The group leverages GitHub workflows and ECS Exec for code execution and lateral movement, employing Git cloning for data exfiltration from repositories and AWS services. Observed TTPs include unusual enumeration, secret validation, and deletion of workflow logs. → wiz.io |
| 2026-06-09 2026 | Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware news 5 min read Supply Chain | Writeup of the "Mini Shai Hulud" supply chain campaign, detailing how TeamPCP trojanized SAP npm packages. The malware uses obfuscated payloads to harvest developer and CI/CD secrets from GitHub, npm, cloud providers, Kubernetes, and HashiCorp Vault. Exfiltration primarily occurs via attacker-controlled GitHub repositories, using techniques like the GraphQL API and fallback mechanisms for credential discovery. The campaign exhibits a Russian language guardrail, terminating execution if specific locale settings are detected. → wiz.io |
| 2026-06-09 2026 | 280+ Leaky Skills: How OpenClaw & ClawHub Are Exposing API Keys and PII news 5 min read AI | Library that detects over 280 "Leaky Skills" in the ClawHub marketplace, exposing API keys and PII. Researchers found that 7.1% of agent skills, including popular ones like `moltyverse-email` and `buy-anything`, instruct AI agents to mishandle secrets by passing them through LLM context windows and outputting them in plaintext. The library identifies vulnerabilities such as verbatim output traps, PII exfiltration, log leakage, and hardcoded placeholders, providing a defense against insecure cognitive patterns in AI agents. → snyk.io |
| 2026-06-08 2026 | The Worm That Keeps on Digging: TeamPCP Hits @antv in Latest Wave news 2 min read Supply Chain | Analysis of a software supply chain campaign, attributed to "TeamPCP," details the compromise of npm packages, GitHub Actions, and a VSCode extension. The malware harvests credentials, including GitHub tokens and SSH keys, using compromised packages like those in the @antv namespace and actions-cool/issues-helper, and establishes persistence via a Python backdoor at ~/.local/share/kitty/cat.py. It exfiltrates data to attacker-controlled GitHub repositories, identified by the description "niagA oG eW ereH :duluH-iahS." → wiz.io |
| 2026-06-08 2026 | Hardcoding Security into Every Commit: The Future of Snyk Secrets intermediate 5 min read | Library for detecting hardcoded secrets, designed to prevent "secret sprawl" and mitigate risks associated with AI-generated code and autonomous agents. It utilizes AI-powered, high-precision detection combining semantic and contextual analysis with custom regex. The library shifts left by integrating with IDEs and CLIs for real-time prevention, scans PR checks for merge-time detection, and offers unified reporting and ignore approval workflows within Snyk's broader AI Security Platform, addressing vulnerabilities exemplified by the ServiceNow Bodysnatcher incident. → snyk.io |
| 2026-06-08 2026 | Malicious Release of elementary-data PyPI Package Steals Cloud Credentials from Data Engineers news 8 min read Supply Chain | Writeup detailing a supply chain attack on the elementary-data PyPI package, where attackers exploited a GitHub Actions script injection vulnerability to forge a malicious release. The compromised package, elementary-data==0.23.3, contained a credential-stealing payload activated by `.pth` files, targeting cloud provider secrets, SSH keys, container secrets, and cryptocurrency wallet files. This attack vector is similar to previous incidents involving the Ultralytics and LiteLLM packages. → snyk.io |
| 2026-06-08 2026 | "A Mini Shai-Hulud Has Appeared": Bun-Based Stealer Hits SAP @cap-js and mbt npm Packages news 13 min read Supply Chain | Library for detecting the "Mini Shai-Hulud" campaign that targeted SAP's npm packages, including `mbt`, `@cap-js/db-service`, `@cap-js/sqlite`, and `@cap-js/postgres`. This campaign leveraged the Bun runtime to execute an obfuscated credential stealer, utilizing a preinstall hook and self-propagation code for autonomous npm publishing. The attack vector involved hijacking CI pipelines and lacked manual approval gates for releases. Snyk provides advisories and flags affected releases through `snyk test`. → snyk.io |
| 2026-06-08 2026 | lightning PyPI Compromise: A Bun-Based Credential Stealer in Python news 11 min read Supply Chain | Library for analyzing a supply chain compromise affecting the `lightning` PyPI package. Versions 2.6.2 and 2.6.3 contained a Bun-based credential stealer, downloading the Bun runtime and executing an obfuscated JavaScript payload that harvested GitHub OAuth/PATs, npm tokens, and probed cloud metadata services. The stealer also performed repository poisoning via GitHub's `createCommitOnBranch` mutation and employed npm tarball worm logic for self-propagation. Snyk published advisory SNYK-PYTHON-LIGHTNING-16323121 covering the incident, which involved CWE-506 and a critical CVSS 4.0 base score of 9.3. → snyk.io |
| 2026-06-08 2026 | TanStack Npm Packages Compromised Inside The Mini Shai Hulud Supply Chain Attack news 12 min read Supply Chain | Library for analyzing the Mini Shai Hulud supply chain attack that compromised TanStack npm packages. This incident, attributed to TeamPCP, involved hijacking a legitimate release pipeline using a pull_request_target vulnerability and GitHub Actions cache poisoning to exfiltrate OIDC tokens and publish malicious packages with valid SLSA provenance. The attack chain mirrors techniques documented in prior compromises like tj-actions/changed-files and utilizes malicious JavaScript payloads within optional dependencies, executed via npm lifecycle hooks. → snyk.io |
| 2026-06-08 2026 | Fix SCA issues at scale in your terminal with Snyk Remediation Agent in the CLI intermediate 6 min read AI | Tool for addressing software composition analysis (SCA) vulnerabilities at scale, the Snyk Remediation Agent offers an experimental CLI experience. This agent leverages Snyk's security intelligence, including fix targets, breakability analysis, reachability, and package health, to guide LLMs in generating targeted fixes. Benchmarks show significant improvements in fix rates for SAST and SCA issues compared to using LLMs alone, while reducing token costs. The agent currently supports SCA and is in active development for SAST, Container, and IaC, aiming to provide intelligence-guided, developer-in-the-loop remediation directly from the terminal. → snyk.io |
| 2026-06-08 2026 | Red Hat npm Packages Compromised to Spread a Credential-Stealing Worm news 5 min read Supply Chain | Writeup on a credential-stealing worm, "Miasma," compromising 32 official @redhat-cloud-services npm packages. This malware, a variant of the open-sourced Mini Shai-Hulud, exploited a compromised GitHub Actions OIDC pipeline, bypassing trusted publishing to inject obfuscated `index.js` payloads via preinstall scripts. It targets AWS, GCP, Azure credentials, GitHub Actions secrets, SSH keys, and other sensitive tokens, mirroring prior attacks on Mistral, TanStack, and Bitwarden. → aikido.dev |
| 2026-06-08 2026 | Initial Access Changed, The Attack Path Did Not: Findings From The Verizon 2026 DBIR news 9 min read AuthN Supply Chain | Survey of findings from the Verizon 2026 DBIR highlighting that exploited vulnerabilities and credential abuse remain primary initial access vectors, with credential abuse a persistent factor throughout breach progression. Modern software delivery's reliance on non-human access via API keys, tokens, and cloud credentials creates extensive trust paths vulnerable to compromise, as exemplified by the Salesloft Drift and Salesforce breach. Stolen credentials function as reusable attacker assets, facilitating ransomware attacks and enabling lateral movement, underscoring the critical need for comprehensive secret scanning and credential governance within DevSecOps workflows. → blog.gitguardian.com |
| 2026-06-08 2026 | Top 16 Secrets Management Tools and Platforms for 2026 (Compared) beginner 19 min read | Library comparing 16 secrets management tools including CyberArk Conjur, HashiCorp Vault, Akeyless, Doppler, and 1Password Secrets Automation. It covers elements like automated secrets rotation, role-scoped access, and integrations with systems like GitHub Actions, Azure DevOps, and Kubernetes through tools like External Secrets Operator. The library highlights key considerations for choosing a tool based on cloud environment, open-source priorities, and AI agent support, noting the increasing prevalence of exposed secrets in public GitHub commits and internal repositories. → blog.gitguardian.com |
| 2026-06-08 2026 | Four Credential-Harvesting Campaigns Hit Open Source Ecosystems in Two Weeks news 3 min read Supply Chain | Analysis of four credential-harvesting campaigns—Megalodon, Laravel-Lang, TrapDoor, and Miasma—that recently targeted open-source ecosystems. These campaigns collectively compromised thousands of repositories, packages, and versions across GitHub, npm, PyPI, Crates.io, and Composer. Attack vectors included backdooring workflows, rewriting Git tags, poisoning package installations with postinstall hooks, and abusing GitHub OIDC for trusted publishing. The primary objective was to exfiltrate secrets such as CI secrets, cloud credentials, SSH keys, and browser passwords from developer environments and CI/CD pipelines, often by disguising malicious activity as legitimate updates or using techniques like injecting into AI coding assistants. → blog.gitguardian.com |
| 2026-06-08 2026 | How to scan for vulnerabilities with GitHub Security Lab’s open source AI-powered framework beginner 22 min read AI AuthZ | Framework for AI-powered vulnerability scanning that utilizes taskflows to identify high-impact web security vulnerabilities. This open-source tool, requiring a GitHub Copilot license, breaks down repositories into components, performs threat modeling, and then audits suggested vulnerabilities with rigorous criteria, reducing hallucinations and false positives. It has successfully reported over 80 vulnerabilities, including authorization bypasses and information disclosures, such as accessing personally identifiable information (PII) or unauthorized logins. → github.blog |
| 2026-06-08 2026 | We hardened zizmor's GitHub Actions static analyzer news 4 min read Supply Chain | Library hardening for zizmor, a static analyzer for GitHub Actions misconfigurations. This effort addressed YAML anchor support, fixing parsing bugs, surfacing deserialization edge cases, and aligning the expression evaluator with GitHub's Known Answer Tests. The work was validated against a corpus of 41,253 workflows from 6,612 repositories, leading to significant improvements in zizmor's robustness and the ability to analyze workflows previously unparseable due to YAML anchors and other complex constructs. → blog.trailofbits.com |
| 2026-05-19 2026 | How We Got a CISA GitHub Leak Taken Down in Under a Day intermediate 2 min read | Writeup details a CISA GitHub leak containing CI/CD logs, Kubernetes manifests, Terraform code, and AWS secrets discovered in the "Private-CISA" repository. The leak, which persisted for months before detection by GitGuardian, highlights risks from plain-text passwords, Git-committed backups, and exposed GitHub tokens. It emphasizes the importance of diligent secret management and comprehensive exposure monitoring to prevent similar incidents. → blog.gitguardian.com |
| 2026-05-19 2026 | CISA Admin Leaked AWS GovCloud Keys on Github news 4 min read | Writeup of CISA contractor's GitHub leak exposing AWS GovCloud keys, plaintext passwords for internal systems like "LZ-DSO", and Artifactory credentials. The leak, discovered by GitGuardian and validated by Seralys, highlighted poor security hygiene including disabling GitHub's secrets detection, storing passwords in plain text, and using easily guessable passwords. This incident represents a significant government data leak, potentially allowing attackers lateral movement and backdoor insertion into software packages. |
| 2026-05-08 2026 | How to mitigate secrets risk and prevent future breaches intermediate 9 min read | Library for detecting and managing secrets risk in code. It details how leaks of credentials, tokens, and signing keys in open source and proprietary repositories are a growing concern, with millions exposed on platforms like GitHub and npm. The library aids in situational awareness by identifying exposed secrets, understanding their purpose, and assessing their potential impact. It emphasizes investing in advanced tooling to filter false positives and prioritize active tokens, alongside evolving development practices to mitigate risks from the design stage forward, ultimately aiming to prevent future breaches. → reversinglabs.com |
| 2026-05-06 2026 | Secrets security: The why the how and what to do about it beginner 5 min read | Report detailing the epidemic of secrets exposed in software repositories, explaining how attackers exploit exposed environment variables, tokens, and keys on platforms like PyPI, npm, and GitHub, and offering guidance on mitigation strategies. It highlights the speed at which attackers find these secrets, often within seconds, and the long discovery times for security teams, referencing examples of exposed AWS credentials and discussions of defense-in-depth approaches to software supply chain security. → reversinglabs.com |
| 2026-05-05 2026 | Secrets leaks increase and expand beyond the codebase news 6 min read | Library for detecting secrets leaks, focusing on increased risks beyond codebases in collaboration and project management tools like Slack, Jira, and Confluence. It highlights that secrets found in these platforms are often more critical and harder to detect than those in source code, as these tools typically lack integrated scanning capabilities. The library aims to address this gap by providing solutions for monitoring these unstructured data streams, acknowledging that traditional scanning methods optimized for code repositories are insufficient. → reversinglabs.com |
| 2026-05-04 2026 | Local Guardrails for Secrets Security in the Age of AI Coding Assistants beginner 9 min read AI Supply Chain | Library for local secrets security scanning, ggshield, enables developers to detect and prevent accidental credential exposure directly within their workflows. It addresses the shifting attack surface towards developer workstations, encompassing AI coding assistants, local caches, and environment files. The tool scans project workspaces, dotfiles, build output, and agent folders to catch sensitive data before it propagates to repositories or pipelines, mitigating risks like those seen in npm, PyPI, and Docker Hub campaigns. → blog.gitguardian.com |
| 2026-05-02 2026 | Cursor AI Flaw Lets Hackers Steal API Keys and Run Code Silently news 4 min read API Sec RCE | Library for securing AI-powered development tools, addressing critical vulnerabilities in Cursor AI where extensions can steal API keys and session tokens from an unencrypted SQLite database, and CVE-2026-26268 allows silent code execution via Git hooks and AI agent interactions. Researchers from LayerX and Novee discovered these flaws, emphasizing risks of financial loss, code exposure, and unauthorized access to cloud systems due to inadequate extension isolation and insecure credential storage, leaving developers at ongoing risk without a full architectural fix. → sqmagazine.co.uk |
| 2026-05-02 2026 | Shai-Hulud Hits SAP: Stolen Credentials Found in 1200 GitHub Repos news 5 min read Supply Chain | Library variant of the Shai-Hulud worm targets SAP npm packages, exfiltrating developer credentials, tokens, and cloud configurations from over 2.2 million monthly downloads. The malware silently uploads this sensitive data, encrypted via AES-256-GCM and RSA-OAEP, to over 1,200 public GitHub repositories. Affected users are advised to immediately rotate keys, enforce two-factor authentication, upgrade packages, and treat compromised machines as fully breached. → ox.security |
| 2026-05-01 2026 | New software supply chain attack uses sleeper packages for credential theft and CI tampering news Supply Chain | Library for detecting sleeper packages in software supply chains that steal credentials, tamper with GitHub Actions, and establish SSH persistence. These malicious Ruby gems and Go modules, observed in campaigns attributed to "BufferZoneCorp," operate through init functions, manipulate environment variables, and place fake executables in cache directories to intercept commands and exfiltrate sensitive data like SSH keys and configuration secrets to attacker-controlled endpoints. → scworld.com |
| 2026-05-01 2026 | Supply chain attack against SAP npm packages facilitates credential theft news Supply Chain | Library that identifies a supply chain attack targeting SAP npm packages, including compromised versions like @cap-js/db-service, @cap-js/postgres, and @cap-js/sqlite. The attack, noted by Aikido Security and others, involved a pre-install script exfiltrating developer credentials, GitHub and npm tokens, cloud secrets, and Kubernetes secrets via AES-256-CGM. The payload also auto-commits to accessible GitHub repositories. → scworld.com |
| 2026-04-29 2026 | Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware news 3 min read Supply Chain | Library that installs malicious preinstall scripts in SAP-related npm packages, such as `@cap-js/sqlite` and `@cap-js/postgres`, to steal developer and CI/CD secrets. The "Mini Shai Hulud" campaign, attributed to TeamPCP, uses a multi-stage payload to harvest credentials from GitHub, npm, and cloud providers, exfiltrating data via GitHub repositories. It also features browser credential theft and propagation logic. → wiz.io |
| 2026-04-28 2026 | FIRESIDE CHAT: Leaked secrets are now the go-to attack vector and AI is accelerating exposures news 3 min read AI | Survey of escalating leaked secrets as attack vectors, exacerbated by AI. GitGuardian reports a 34% year-over-year jump in exposed credentials in 2025, with AI infrastructure driving the fastest-growing categories, including OpenRouter and DeepSeek API keys. The rise of AI-assisted coding, where commits co-signed by AI show significantly higher secret exposure rates, necessitates a governance-first approach to remediate this growing threat. → securityboulevard.com |
| 2026-04-28 2026 | ClickUp is leaking customer data via hardcoded API key researcher claims news API Sec | A researcher claims ClickUp is leaking customer data due to a hardcoded API key. This vulnerability could expose sensitive information. The article does not mention any specific bug bounty payout amount. → cybernews.com |
| 2026-04-28 2026 | ClickUp Hardcoded API Key Exposes 959 Emails from Fortune 500 Giants news 2 min read API Sec | Writeup detailing a ClickUp hardcoded Split.io SDK token that exposed 959 email addresses from Fortune 500 companies and government organizations. The incident highlights a failure in storing API keys client-side, allowing easy harvesting. Furthermore, a Server-Side Request Forgery (SSRF) vulnerability within ClickUp's webhook functionality was demonstrated, enabling attackers to steal AWS IAM credentials by targeting the metadata service, potentially leading to full infrastructure compromise. → cyberpress.org |
| 2026-04-28 2026 | An open-source package with over 1 million monthly downloads has a vulnerability that has been exploited to distribute malware-infected versions and steal user credentials. news 2 min read Supply Chain | Writeup of a supply chain attack on Elementary Open Source Python CLI v0.23.3, an open-source package with over one million monthly downloads. An attacker exploited a vulnerability in a developer account to distribute a malware-infected version, leading to the theft of user credentials, API tokens, and SSH keys. The affected version was quickly removed, and the developers recommend immediate uninstallation, cache clearing, credential rotation, and security team contact for affected users. → gigazine.net |
| 2026-04-27 2026 | Claude Code is leaking API keys into public package registries news 5 min read Supply Chain | Writeup on Claude Code API token leak, detailing how the AI assistant caches approved terminal commands containing sensitive credentials in `.claude/settings.local.json`. This hidden file, if not excluded from package builds, can expose API keys to public registries like npm. The vulnerability impacts various packaging ecosystems and bypasses traditional secret scanning tools, necessitating manual exclusion from `.npmignore` and `.gitignore`, or automated pipeline checks for enterprises. |
| 2026-04-22 2026 | UNC6426 Exploits nx npm Supply-Chain Attack to Gain AWS Admin Access in 72 Hours news 3 min read | Writeup of UNC6426's nx npm supply-chain attack, detailing how a compromised GitHub token and an overly permissive AWS OIDC trust were exploited to gain full AWS administrator access within 72 hours. The attack involved leveraging the `nx` package, the `pull_request_target` vulnerability, and the QUIETVAULT credential stealer, with reconnaissance aided by the Nord Stream tool. Recommendations include sandboxing package managers, applying least privilege to CI/CD roles, and enforcing fine-grained PATs. → thehackernews.com |
| 2026-04-22 2026 | The State of Non-Human Identity Security (CSA Survey Report) beginner 1 min read | Survey report detailing the state of non-human identity (NHI) security, including bots, API keys, and service accounts. It reveals that only 15% of organizations are highly confident in preventing NHI attacks, with major pain points in managing service accounts, auditing, and access management. The report highlights that 20% of organizations have formal processes for API key offboarding, and many use tools not purpose-built for NHIs, though investment in NHI security capabilities is increasing. |
| 2026-04-22 2026 | Secrets Management in 2026: Vault, AWS Secrets Manager, and Beyond beginner 4 min read | Library for understanding 2026 secrets management trends, comparing HashiCorp Vault, AWS Secrets Manager, Doppler, and Infisical. It highlights the shift from static to dynamic secrets, the importance of identity-based access, and the role of Kubernetes operators like External Secrets Operator. The library guides selection based on factors like multi-cloud needs, AWS dependency, developer experience priorities, and self-hosting requirements. |
| 2026-04-22 2026 | GitHub Secret Scanning 2026: New Patterns, Push Protection beginner 10 min read | Library for GitHub Secret Protection offers enhanced detection of leaked secrets with 28 new patterns across 15 providers, expanded push protection for 39 token types, and AI-powered generic password detection via Copilot. Available to GitHub Team plan customers at $19 per month per active committer, it includes validity checks and improved API visibility. This solution aims to prevent credential-related breaches, which cost an average of $4.88 million, by blocking pushes of sensitive information like Supabase service keys and Vercel API tokens before they reach repositories. |
| 2026-04-22 2026 | Top 10 Non-Human Identity Security Tools and Platforms for 2026 beginner 16 min read | Library for detecting and preventing non-human identity (NHI) security risks, specifically addressing hardcoded API keys, overprivileged service accounts, stale OAuth tokens, and misconfigured workload identities. It offers comprehensive discovery, exposure detection across git history and CI/CD pipelines, lifecycle management, authorization and least privilege enforcement, and governance features to aid compliance with standards like SOC 2 and ISO 27001. This tool targets large DevSecOps organizations to secure complex, multi-cloud, and ephemeral workloads. → blog.gitguardian.com |
| 2026-04-22 2026 | CVE-2026-5807: HashiCorp Vault DoS via Unauthenticated Root Token Generation news | Advisory on CVE-2026-5807 detailing a denial-of-service vulnerability in HashiCorp Vault. Unauthenticated attackers can exploit this by repeatedly initiating or canceling root token generation or rekey operations, preventing legitimate users from accessing these critical functions. This flaw is resolved in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0. GitLab Dependency Scanning can detect and mitigate this specific vulnerability. → advisories.gitlab.com |
| 2026-04-22 2026 | CVE-2026-3605: HashiCorp Vault KVv2 Metadata Policy Bypass (DoS) news | Advisory for CVE-2026-3605 details a HashiCorp Vault KVv2 metadata policy bypass vulnerability. Authenticated users with specific glob policies can delete secrets outside their authorized scope, leading to a denial-of-service condition. The vulnerability does not permit cross-namespace deletion or unauthorized data reading. Patches are available in Vault Community Edition 2.0.0, Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16. → advisories.gitlab.com |
| 2026-04-22 2026 | AI Is Fueling Secrets Sprawl: GitGuardian Reports 81% Surge of AI-Service Leaks news 3 min read | Report detailing GitGuardian's findings on secrets sprawl, highlighting an 81% surge in AI-service leaks and a 34% YoY increase in newly leaked secrets on GitHub due to AI adoption. The analysis covers increased risk from AI-assisted commits, emerging MCP configuration risks, expanded attack surfaces via collaboration tools and developer machines, and challenges in prioritizing and remediating long-lived secrets, underscoring the need for dedicated Non-Human Identity governance. → blog.gitguardian.com |
| 2026-04-22 2026 | HCSEC-2026-08: Vault DoS via Unauthenticated Root Token Generation news 1 min read | Bulletin detailing CVE-2026-5807, a denial-of-service vulnerability in HashiCorp Vault Community and Enterprise editions up to v1.21.4. Unauthenticated attackers can exploit the `sys/rekey`, `sys/generate-root`, and `sys/rekey-recovery-key` endpoints to repeatedly initiate or cancel root token generation or rekey operations, locking out legitimate users. This issue is resolved in Vault 2.0.0. |
| 2026-04-22 2026 | HCSEC-2026-05: Vault KVv2 Metadata Policy Bypass DoS news 1 min read | Writeup of CVE-2026-3605, a denial-of-service vulnerability in HashiCorp Vault KVv2. An authenticated user with specific policy configurations could delete secrets they weren't authorized for, leading to potential service disruption. This issue affected versions up to 1.21.4 and was fixed in Vault Community Edition 2.0.0 and various Vault Enterprise versions. |
| 2026-04-19 2026 | Compromised IAM Credentials Power Large AWS Crypto Mining Campaign news 3 min read | Analysis of an AWS crypto mining campaign details how attackers use compromised IAM credentials, including admin-like privileges, to gain access. The multi-stage attack involves credential validation via `RunInstances` with `DryRun`, role creation for ECS and Lambda, and deployment of malicious Docker images like `yenik65958/secret:user`. Persistence is achieved using `ModifyInstanceAttribute` to disable API termination and by creating Lambda functions. This campaign highlights the sophisticated use of AWS services for illicit cryptocurrency mining and the importance of strong IAM controls, temporary credentials, MFA, and least privilege. → thehackernews.com |
| 2026-04-19 2026 | Pre-Commit Hooks for Secret Detection: Setup in 10 Minutes intermediate 7 min read | Library for implementing pre-commit hooks to prevent secrets from entering Git history. It details the setup process for tools like gitleaks, detect-secrets, and TruffleHog, offering solutions for immediate detection and blocking of credential leaks. The library emphasizes catching secrets at the cheapest point in the lifecycle, preventing the need for costly history rewrites and incident response by integrating these tools seamlessly into the Git commit workflow. |
| 2026-04-19 2026 | Understanding Your Organization's Exposure to Secret Leaks — GitHub beginner 4 min read | Library for assessing an organization's exposure to secret leaks, highlighting that over 39 million secrets were detected on GitHub in 2024 alone. This resource details how secrets like API keys and passwords are leaked through repository commits or misconfigurations, referencing the $4.88 million average cost of credential compromise breaches and the 2022 LastPass breach. It provides methods for quantifying risk, including inventory audits and benchmarking against OWASP ASVS and NIST guidelines, and mentions GitHub's secret risk assessment tool for enterprise customers. |
| 2026-04-19 2026 | Exposed Developer Secrets Surge: AI Drives 34% Increase in 2025 news 5 min read | Report detailing a 34% surge in exposed developer secrets during 2025, fueled by AI-assisted coding and expanded use of tools like Claude Code. GitGuardian's analysis highlights significant increases in leaked AI service credentials, including DeepSeek API keys, and identifies internal repositories as a six-fold greater risk. The report also notes that 28% of exposures occur outside code in platforms like Slack and Jira, with 64% of discovered secrets remaining unrevoked. |
| 2026-04-19 2026 | GitHub Found 39M Secret Leaks in 2024 — The GitHub Blog news 5 min read | Library for GitHub Advanced Security, featuring Secret Protection and Code Security, addresses the pervasive issue of exposed secrets, which led to 39 million leaks on GitHub in 2024. It emphasizes built-in push protection for public repositories and introduces affordable standalone products and a free point-in-time scan for organizations to identify and manage secret exposures effectively, partnering with vendors like AWS and Google Cloud Platform to enhance detection accuracy. → github.blog |
| 2026-04-18 2026 | Product showcase: Stop secrets from leaking through AI coding tools with GitGuardian beginner 4 min read | Library extending ggshield with hook-based secret scanning for AI coding tools like Cursor and GitHub Copilot. This solution detects secrets in prompts and AI agent actions before they are sent to models or executed, providing real-time, preventive control for organizations to mitigate sensitive data exposure in AI workflows, addressing a critical blind spot in current security programs and complementing existing repository and CI pipeline scanning efforts. → helpnetsecurity.com |
| 2026-04-17 2026 | Non-human identities: What they are and how to secure them (Netwrix) beginner 11 min read | Guide to non-human identities (NHIs) and their security, detailing service accounts, API keys, managed identities, OAuth tokens, and cloud workload identities. The article highlights how these entities, lacking human oversight, MFA, and clear ownership, pose significant security risks, contributing to account compromises. It discusses authentication methods like token-based, key-based, certificate-based, and workload identity federation, emphasizing the absence of MFA as a critical vulnerability. Best practices, such as migrating to gMSAs for service accounts and addressing challenges with vendor-managed NHIs and token lifespans, are also covered, referencing the Netwrix 2025 Cybersecurity Trends Report. |
| 2026-04-17 2026 | What Are Non-Human Identities? Complete NHI Security Guide 2025 beginner 14 min read | Guide to Non-Human Identities (NHIs) covering their distinction from human accounts, their proliferation in modern organizations, and the five core characteristics that define them: built for automation, identity encoded in names, purpose-built design, operating in networks, and persistence without oversight. It details common NHI types including service accounts, API keys and tokens, machine identities and certificates, bots and automated agents, and application identities, emphasizing their critical role in security due to high privileges and continuous operation. |
| 2026-04-17 2026 | TruffleHog: Deep Dive on Secret Management (Jit) intermediate 7 min read | Library for detecting hardcoded secrets in code. TruffleHog uses hundreds of patterns and strings to identify exposed credentials for services like AWS, GCP, and Azure, and integrates with tools like Slack and Stripe. It offers automation via pre-commit hooks and GitHub Actions, remote scanning capabilities, customizable rules, and secret verification by making API calls. The library also assists in remediating exposed secrets by providing guidance on rotating credentials and cleaning Git history using tools like BFG Repo-Cleaner. |
| 2026-04-17 2026 | TruffleHog Open Source v3 vs GitGuardian beginner 3 min read | Library comparing TruffleHog Open Source v3 and GitGuardian's code security platform for secrets detection. TruffleHog is a CLI tool for finding hardcoded secrets in repositories, while GitGuardian offers an integrated platform with automated detection, Honeytoken capabilities, alerting, incident prioritization, and remediation workflows across various version control systems. GitGuardian aims to reduce false positives through its detection engine and provides enhanced collaboration, enterprise-grade features, and dedicated support, contrasting with TruffleHog's open-source limitations in scalability and built-in functionality. |
| 2026-04-17 2026 | git-secret-scanner: Find secrets with TruffleHog & Gitleaks beginner 2 min read | Tool for finding secrets in Git organizations and groups, combining TruffleHog's classification strengths with Gitleaks' broader detection capabilities. It supports GitHub and GitLab, utilizes specific tokens with required scopes, and offers features for ignoring secrets via annotations or fingerprint files, as well as baseline scanning to detect new secrets. |
| 2026-04-17 2026 | Gitleaks vs TruffleHog 2026 Benchmarks (AppSec Santa) beginner 8 min read | Library for open-source secret scanning, comparing Gitleaks and TruffleHog. Gitleaks excels as a fast, pre-commit hook using regex for rapid detection within git repositories. TruffleHog offers deeper scanning across git, S3 buckets, Docker images, and Slack, featuring credential verification to confirm active leaks, making it suitable for CI/CD pipelines. Most teams utilize both tools for comprehensive secret protection. → appsecsanta.com |
| 2026-04-17 2026 | Rafter: detect-secrets vs gitleaks vs TruffleHog beginner 9 min read | Library comparing `detect-secrets`, `git-secrets`, `gitleaks`, and `TruffleHog` for detecting leaked secrets. `git-secrets` is basic and AWS-focused. `detect-secrets` uses plugins and a baseline for brownfield repos, but has a higher false positive rate. `gitleaks` offers broad built-in coverage and fast scanning with 150+ rules. `TruffleHog` distinguishes itself by verifying found secrets via API calls, significantly reducing false positives by confirming active credentials. |
| 2026-04-17 2026 | SEC02-BP03 Store and use secrets securely (AWS Well-Architected) beginner 5 min read | Reference detailing AWS best practices for managing application secrets, emphasizing credential removal, replacement with short-term alternatives (like IAM roles), and secure storage and rotation of remaining long-term secrets using AWS Secrets Manager. It highlights benefits such as encrypted storage, audited access, and on-demand secret distribution, while warning against common anti-patterns like embedding credentials in source code or configuration files. The document also mentions tools like Amazon CodeGuru for identifying hard-coded secrets and Lambda extensions for serverless secret retrieval. |
| 2026-04-17 2026 | AWS Secrets Manager: Secure Credential Storage & Best Practices beginner 10 min read | Library for securely storing and managing sensitive data like database passwords, API keys, and OAuth tokens within AWS. It offers automatic credential rotation, fine-grained access control via AWS IAM, integration with AWS CloudTrail for monitoring, and allows applications to retrieve secrets at runtime using AWS SDKs, reducing the risk of hard-coded credentials in code, CI/CD pipelines, or Kubernetes manifests. |
| 2026-04-17 2026 | Practical steps to minimize key exposure using AWS Security (AWS) intermediate 13 min read | Library for minimizing AWS key exposure, this resource details practical steps for detecting exposed and unused access keys using Amazon Q Developer and AWS IAM Access Analyzer. It emphasizes implementing preventive guardrails with Service Control Policies (SCPs) and Resource Control Policies (RCPs) to establish data perimeters and restrict credential usage to expected networks. The guide also touches upon using AWS WAF and Amazon Inspector for network-level controls and automated secret rotation for ongoing security hygiene, addressing common threat actor entry points via compromised long-term credentials. → aws.amazon.com |
| 2026-04-17 2026 | AWS API Keys / Secrets / Tokens Exposure Remediation intermediate 2 min read | Guide to remediating exposed AWS API keys, secrets, and tokens, emphasizing PCI-DSS compliance. The guide details using Cyera DSPM for AI-powered discovery across EC2, Lambda, and code repositories, followed by step-by-step remediation including disabling compromised keys, updating applications, and migrating secrets to AWS Secrets Manager or Systems Manager Parameter Store. It also covers long-term prevention through automated rotation, IAM roles, and least-privilege policies. |
| 2026-04-17 2026 | Integrating HashiCorp Vault with Kubernetes for Secrets Mgmt intermediate 8 min read | Library for integrating HashiCorp Vault with Kubernetes for secure secrets management. This resource details deploying Vault using Helm in a Kubernetes cluster, enabling the Kubernetes authentication method, and configuring Vault to communicate with the Kubernetes API. It covers creating roles that map Kubernetes service accounts to Vault policies, enabling the Key/Value (kv) secrets engine, and storing secrets like database passwords. The integration leverages Vault's encryption at rest, dynamic secrets generation, and fine-grained access control to overcome limitations of native Kubernetes secrets. |
| 2026-04-17 2026 | HashiCorp Vault Kubernetes: The Definitive Guide (Plural) beginner 24 min read | Guide to integrating HashiCorp Vault with Kubernetes, focusing on replacing static secrets with dynamic, short-lived credentials for databases and PKI. It covers automating secret injection into pods using the Vault Agent Injector or Secrets Operator, and centralizing security policy and configuration. The guide highlights how Vault's dynamic secrets and centralized auditing significantly enhance security compared to native Kubernetes Secrets, with platforms like Plural aiding consistent deployment across fleets. |
| 2026-04-17 2026 | A Hands-On Guide to Vault in Kubernetes beginner | A Hands-On Guide to Vault in Kubernetes |
| 2026-04-17 2026 | Securing Kubernetes Secrets with HashiCorp Vault (InfraCloud) intermediate 13 min read | Library for securing Kubernetes secrets with HashiCorp Vault, this resource details how to configure Vault for high availability and implement automatic unsealing using Azure Key Vault. It covers creating Azure services like Key Vault and App Registration, then demonstrates deploying Vault with its Helm chart, specifying Azure Key Vault integration for unsealing and Raft for storage. The setup aims to overcome the limitations of Kubernetes native secrets by providing a centralized and robust secret management system. |
| 2026-04-17 2026 | Manage Kubernetes native secrets with Vault Secrets Operator intermediate 12 min read | Library for managing Kubernetes native secrets with HashiCorp Vault. The Vault Secrets Operator (VSO) acts as a Kubernetes operator, syncing secrets between Vault and Kubernetes native secrets in specified namespaces. It supports kv-v1 and kv-v2, TLS certificates via PKI, and static and dynamic secrets. The tutorial demonstrates installation of Vault and VSO using Helm on minikube, configuring Kubernetes authentication, KV secrets engine, and a role for accessing a static secret. |
| 2026-04-17 2026 | Secret detection (GitLab Docs) beginner 2 min read | Library for detecting and preventing secrets in Git repositories. It offers "secret push protection" to block commits containing secrets, "pipeline secret detection" that scans branches within CI/CD, and "client-side secret detection" for issues and merge request comments. GitLab can automatically revoke exposed secrets and provides vulnerability reports for remediation. The "GitLab Duo" feature helps reduce false positives by analyzing findings. |
| 2026-04-17 2026 | Find secrets with GitHub secret risk assessment beginner 1 min read | Tool for scanning GitHub organizations for secret leaks, providing insights into public exposures, private exposures, and token types. Available on GitHub Team and Enterprise plans starting April 1, 2025, this assessment helps identify affected repositories and the number of secrets leaked per type, offering a clear view of an organization's secret footprint without storing or sharing specific secrets. → github.blog |
| 2026-04-17 2026 | About secret scanning (GitHub Docs) beginner 3 min read | Library for automatically detecting credential leaks like API keys and passwords committed to repositories. It scans Git history, issue and pull request descriptions, wikis, and gists for exposed secrets. The library generates alerts upon detection, allowing for immediate credential rotation. It supports expanding detection with non-provider and custom patterns, and includes validity checks to prioritize remediation. GitHub also partners with service providers to notify them of detected partner secrets, and offers AI-powered scanning via Copilot. |
| 2026-04-16 2026 | Do Not Use Secrets in Environment Variables beginner 22 min read | Reference detailing why secrets should not be stored in environment variables, explaining risks like poor management, difficulty in rotation and auditing, lack of encryption, and leaks through frontend/backend blurring in frameworks like Next.js and Nuxt, as well as `.env` files and Docker images. It highlights the ease of access via `/proc/PID/environ` and the exposure in process lists, proposing better secrets management solutions. |
| 2026-04-16 2026 | Environment Variables Don't Keep Secrets beginner 5 min read | Library offering guidance on secure secrets management, highlighting risks of using environment variables for sensitive data like API keys and database credentials. It contrasts this with more secure alternatives such as memory-backed volumes and secrets files, referencing best practices from the CNCF Cloud Native Security Whitepaper and OWASP, including their Secrets Management and Kubernetes Cheat Sheets. The library also details methods for mitigating risks when environment variables are unavoidable, such as using secrets managers like CyberArk Conjur and injection tools like CyberArk Summon. |
| 2026-04-16 2026 | From .env to Leakage: Mishandling of Secrets by Coding Agents intermediate 4 min read | Writeup detailing secret leakage risks from AI coding assistants, specifically highlighting Claude Code's automatic loading of .env files and potential for API key exposure. The analysis includes a customer incident with Cursor uploading an API key and the CEO's Claude Code committing a Gemini API key to GitHub. Public incidents involving MCP-related data exfiltration via WhatsApp and supply chain attacks are also discussed, emphasizing the need to assume all data is accessible to these agents. |
| 2026-04-16 2026 | Secret Detection in Application Security beginner 7 min read | Library for detecting secrets in application security, addressing the high false positive rates of traditional regex-based scanners and the blind spots in their coverage. It emphasizes pairing secret detection with context, such as ownership, deployment location, and activity status, to enable effective prioritization and remediation. The library explores root causes of secret leaks, including cognitive load, complex pipelines, containerization, shadow IT, and the limitations of pattern matching, while highlighting the need for scalable prevention strategies and governance models. |
| 2026-04-16 2026 | 29 Million Leaked Secrets: How AI Coding Tools Are Making It Worse news 5 min read | Library for securing AI agents by treating them as governed non-human identities, focusing on credential management. It addresses the 28.6 million secrets leaked in 2025, a 34% increase, driven by AI-assisted commits and multi-provider integrations across services like OpenRouter and Hugging Face. The library advocates for scoped permissions, short-lived credentials (like OAuth 2.1), event-driven rotation, and robust revocation capabilities, contrasting with insecure practices seen in Model Context Protocol configurations. → helpnetsecurity.com |
| 2026-04-16 2026 | The State of Secrets Sprawl 2026 - GitGuardian Annual Report news 3 min read | Report analyzing the state of secrets sprawl in 2026, highlighting the acceleration of credential leaks driven by mainstream AI adoption. It reveals secrets are leaking 1.6x faster than developer growth, with AI-assisted commits showing significantly higher leak rates. The report details exposures beyond code repositories, impacting CI/CD runners and collaboration tools, and identifies exposed AI service secrets as a rapidly growing threat category. It also notes the prevalence of long-lived, unvalidated secrets and the challenges in remediation. |
| 2026-04-15 2026 | News alert: GitGuardian study shows AI coding tools double leak rates as 29M credentials hit GitHub news 4 min read | Analysis of GitGuardian's 5th "State of Secrets Sprawl" report reveals AI coding tools doubled secret leak rates in 2025, contributing to 29 million credentials detected on GitHub. Leaks associated with AI services increased 81% YoY, while MCP configuration risks and widespread secrets sprawl across collaboration tools and developer machines expanded the attack surface. The report highlights that 64% of valid secrets from 2022 remain unrevoked, underscoring critical gaps in governance and remediation for non-human identities. → securityboulevard.com |
| 2026-04-11 2026 | Terraform Secrets Management Best Practices beginner 9 min read | Library for managing secrets within Terraform configurations. It highlights best practices such as avoiding hard-coded secrets, leveraging secrets managers like AWS Secrets Manager, and utilizing the `sensitive` flag for outputs. The library also details how Terraform states and plans can expose sensitive data and introduces ephemeral resources as a mechanism to fetch secrets without persisting them in the state file. → blog.gitguardian.com |
| 2026-04-11 2026 | AWS IAM Roles Anywhere Workload Identities intermediate 1 min read | Guide to AWS IAM Roles Anywhere workload identity mapping, explaining how certificates with Subject (CN, FQDN, hostname) or SPIFFE identities are used to obtain temporary credentials. It details how certificate fields like Subject, Issuer, and Subject Alternative Name (SAN) are extracted and mapped to PrincipalTags (e.g., `aws:PrincipalTag/x509Subject/CN`, `aws:PrincipalTag/x509Issuer/O`, `aws:PrincipalTag/x509SAN/DNS`) for use in resource policies, allowing direct identity association with compute instances. |
| 2026-04-11 2026 | External Secrets Operator: Introduction beginner | External Secrets Operator: Introduction |
| 2026-04-11 2026 | Google Cloud SIEM Service Account Token Leak news 2 min read | Writeup of a Google Security Operations vulnerability (TRA-2025-52) allowing SIEM tenant service account token leakage. Manipulation of the API root parameter in custom integrations forced job execution through a code path that exposed the highly privileged cloud-platform scoped service account access token to an attacker-controlled server. This enabled privilege escalation and unauthorized actions within the Google Cloud project. → tenable.com |
| 2026-04-11 2026 | Secret Rotation: How It Works beginner 10 min read | Library detailing automatic secret rotation, explaining its importance in reducing vulnerability to compromised credentials and insider threats. It covers rotation conditions, revocation, new secret generation and validation, application across systems like Kubernetes, and types of secrets such as passwords, API keys, SSH keys, and encryption keys. The library also discusses challenges in large-scale implementation and highlights secret management solutions like HashiCorp Vault and StrongDM for automated rotation. |
| 2026-04-11 2026 | Secret Auto Rotation with Secrets Store CSI Driver intermediate 3 min read | Library for automatic secret rotation within Kubernetes pods, enhancing security by periodically updating mounted secrets and Kubernetes Secrets when changes occur in external stores. This feature leverages the CSI RequiresRepublish mechanism and the `--enable-secret-rotation=true` flag for the Secrets Store CSI Driver, removing the need for privileged RBAC permissions. The driver supports applications reading secrets from mounted volumes or container filesystems, with pods needing restarts or tools like Reloader for environment variable updates. This alpha feature, configurable via Helm or command-line flags, relies on providers implementing a gRPC server for communication. |
| 2026-04-11 2026 | Secretless GitHub Actions to AWS via OIDC intermediate 7 min read | Reference detailing secretless connections from GitHub Actions to AWS via OpenID Connect (OIDC). This guide explains how to configure GitHub Actions to generate OIDC JWTs, which can then be used to establish trust relationships with AWS IAM roles. It covers creating an OIDC provider in AWS, setting up trust policies with conditions like `StringEquals` on `token.actions.githubusercontent.com:sub` and `token.actions.githubusercontent.com:aud`, and granting necessary permissions. The article provides examples using AWS CDK and Terraform for infrastructure setup, alongside a sample GitHub workflow leveraging the `aws-actions/configure-aws-credentials` action. |
| 2026-04-11 2026 | OIDC Security Hardening for GitHub Actions intermediate 5 min read | Reference for hardening GitHub Actions security using OpenID Connect (OIDC). This guide details how workflows can leverage OIDC to obtain short-lived access tokens from cloud providers like AWS, Azure, GCP, and HashiCorp Vault, eliminating the need for long-lived secrets. It explains configuring OIDC trust, requesting tokens, and using custom repository properties as claims for attribute-based access control, enhancing authentication and authorization management. Dependabot is also covered, demonstrating its ability to use OIDC for private registry authentication. |
| 2026-04-11 2026 | Hardening HashiCorp Vault Best Practices intermediate 9 min read | Reference for hardening HashiCorp Vault in production, detailing techniques like TLS and mTLS configuration, firewall rules, and operational security practices such as using dedicated service accounts, minimal write privileges, disabling core dumps and swap, and implementing least privilege access control. It also covers additional considerations like avoiding root tokens, utilizing short-lived TTLs, robust audit logging with redundancy via file and syslog, and secure handling of credentials, emphasizing regular updates and patches for vulnerability mitigation. |
| 2026-04-11 2026 | HashiCorp Vault Production Hardening Guide intermediate 8 min read | Library providing best practices for hardening HashiCorp Vault production deployments, emphasizing defense in depth. Recommendations include running Vault as an unprivileged user, allowing minimal write privileges, enabling end-to-end TLS with HSTS, disabling swap and core dumps, using single tenancy, firewalling traffic, avoiding root tokens, configuring user lockout, enabling audit device logs, managing log files, disabling shell command history, maintaining frequent upgrades, synchronizing clocks, restricting storage access, avoiding clear-text credentials with platform-specific identity solutions, using the safest TLS algorithms, following plugin best practices, ensuring consistent configuration file merging, applying correct filesystem permissions, and using standard input for Vault secrets. |
| 2026-04-11 2026 | Leaked Env Variables Allow Large-Scale Cloud Extortion news 21 min read | Writeup of a cloud extortion campaign that successfully compromised and ransomed data by leveraging exposed environment variable files (.env). The campaign exploited credentials found in .env files, coupled with long-lived credentials and a lack of least privilege architecture, to gain initial access to victim AWS environments. Attackers utilized Tor, VPNs, and VPS endpoints for reconnaissance, lateral movement, and data exfiltration, targeting services like IAM, STS, S3, and SES. → unit42.paloaltonetworks.com |
| 2026-04-11 2026 | CVE-2025-68429: Storybook .env Secrets Exposure news 1 min read | Library CVE-2025-68429 details a .env secrets exposure vulnerability in Storybook. Versions prior to 7.6.21, 8.6.15, 9.1.17, and 10.1.10 can inadvertently bundle environment variables from .env files into build artifacts. If a built Storybook is published online, these variables become publicly viewable. Vulnerable projects typically build Storybook in a directory containing a .env file and publish the output. Users should upgrade to a patched version and audit for sensitive secrets in .env files, rotating affected keys and adjusting variable handling by prefixing with STORYBOOK_ or using the env property if necessary. |
| 2026-04-11 2026 | 10K Docker Images Spray Live Cloud Creds news 3 min read | Analysis of 10,456 Docker images reveals over 100 companies, including a Fortune 500 firm and a major bank, inadvertently exposing live cloud credentials and API keys for AI services. Flare's research indicates that secrets are often baked into build contexts and published via informal "shadow IT" accounts, bypassing enterprise monitoring. Even after removal from images, exposed secrets frequently remain active, necessitating the use of secrets management tools and pre-push scanning. → theregister.com |
| 2026-04-11 2026 | 10,000+ Docker Hub Images Leaking Credentials news 2 min read | Analysis of 10,000+ Docker Hub images reveals widespread credential and authentication key leaks affecting over 100 organizations, including a Fortune 500 company and a national bank. Researchers at Flare identified exposed secrets like OpenAI, HuggingFace, and Gemini API keys, GitHub tokens, and database credentials within container images and manifests. Common vulnerabilities stem from `.env` files and hardcoded secrets in application files, impacting cloud environments, CI/CD systems, and Git repositories. While some developers revoked keys within 48 hours, 75% of exposed secrets remained unrevoked, posing ongoing risks. → bleepingcomputer.com |
| 2026-04-11 2026 | Thousands of Secrets Exposed on Docker Hub news 19 min read | Analysis of over 10,000 Docker Hub images revealed leaked production credentials, including AI LLM model keys and cloud environment access tokens, impacting over 100 organizations. This research highlights a shift to "authenticate-in" attacks rather than traditional hacking, exacerbated by shadow IT accounts and insufficient credential rotation after exposure, as seen in incidents like the Shai-Hulud NPM worm and the tj-actions/changed-files GitHub Action compromise. |
| 2026-04-11 2026 | What Happens When You Leak AWS API Keys? beginner | What Happens When You Leak AWS API Keys? |
| 2026-04-11 2026 | CloudKeys in the Air: Exposed IAM Keys Cryptojacking news 16 min read | Analysis of the EleKtra-Leak campaign details automated targeting of exposed AWS IAM keys on GitHub for cryptojacking. Threat actors quickly leverage compromised credentials to launch Amazon EC2 instances for Monero mining. Researchers used a Prisma Cloud HoneyCloud project to monitor this activity, observing hundreds of EC2 instances linked to the operation. The campaign employed automated tools to scan repositories and block identified AWS accounts, with researchers countering by creating randomized, non-attributable AWS accounts with overly-permissive IAM credentials to track actor movements. → unit42.paloaltonetworks.com |
| 2026-04-11 2026 | AWS Customer Security Incidents Repository news | AWS Customer Security Incidents Repository |
| 2026-04-11 2026 | 2,622 Valid Certificates Exposed: Google-GitGuardian Study news 5 min read | Survey of X.509 certificate leaks mapping over 40,000 private keys to TLS certificates, revealing 2,600 valid certificates at risk. The GitGuardian and Google study highlights a critical misunderstanding of private key risks, with many organizations failing to revoke exposed certificates after disclosure campaigns. Techniques used included Certificate Transparency log analysis and OSINT for attribution, uncovering systemic failures in key management and revocation processes across Fortune 500 companies, healthcare providers, and government agencies. → blog.gitguardian.com |
| 2026-04-11 2026 | 8000+ ChatGPT API Keys Exposed on GitHub news 3 min read | Analysis of over 8,000 exposed ChatGPT API keys found on GitHub and live websites highlights a critical security gap in AI integration. Cyble Research and Intelligence Labs discovered thousands of hardcoded keys in public GitHub repositories and nearly 3,000 production websites leaking credentials in client-side JavaScript. These exposures, often due to rapid development practices and treating API keys as configuration values, allow immediate abuse for high-volume inference, phishing, malware development, and billing account draining, underscoring that tokens are the new passwords and current security discipline lags behind AI adoption. → thecyberexpress.com |
| 2026-04-11 2026 | Secret Scanning in CI Pipelines using Gitleaks intermediate 6 min read | Tool for integrating Gitleaks into GitLab CI pipelines for secret scanning. It details setting up a CI job to run Gitleaks against the OWASP Juice Shop application, demonstrating how to detect and prevent secret leaks like API keys, usernames, and secret keys from being committed. The entry also mentions the use of Git hooks as a pre-commit security measure. |
| 2026-04-11 2026 | Add a Local Gitleaks Pre-Commit Hook intermediate 4 min read | Library for a local Gitleaks pre-commit hook that prevents accidental secrets from entering Git history. It utilizes files within `.git/` for a fast, easily removable safety net, supporting custom configurations via `.gitleaks.toml` and optional team-wide enforcement with Lefthook or GitHub Actions. |
| 2026-04-11 2026 | GitHub Comments Leak Live API Keys news 13 min read | Tool update. TruffleHog now scans GitHub issues, pull requests, and comments, revealing thousands of live API keys and passwords accidentally posted by human users. Many leakers have no association with the repository, and edited comments can still expose secrets in their history. Secrets are primarily found in plain text, not code blocks, and repositories with commented secrets often also have secrets within their git history. → trufflesecurity.com |
| 2026-04-11 2026 | Secret Scanning Encoded and Archived Data intermediate 4 min read | Library for automated secret scanning, TruffleHog detects sensitive data within various encoded string formats like Base64, UTF-8, UTF-16, and Escaped Unicode. It also supports scanning archived files, including Unix archives, Debian packages, RPM, CPIO, and common formats such as .zip, .tar, and .gz, efficiently uncovering secrets hidden within compressed data. → trufflesecurity.com |
| 2026-04-11 2026 | How TruffleHog Verifies Secrets intermediate 4 min read | Library detailing how TruffleHog verifies secrets, moving beyond simple entropy and regex checks. It explains the challenges in programmatically confirming API key validity by testing various endpoints like Doppler's `/v3/me`, handling diverse HTTP responses (including rate limits and error codes), and adapting to API changes and new key types. The library also covers complex verification for database credentials and emphasizes the community's role in maintaining TruffleHog's accuracy and low false-positive rates. → trufflesecurity.com |
| 2026-04-10 2026 | Secret Scanner Comparison: Finding Your Best Tool beginner | Secret Scanner Comparison: Finding Your Best Tool |
| 2026-04-10 2026 | 6 Effective Secret Scanning Tools beginner 8 min read | Library for automated secret scanning that identifies and protects sensitive information like API keys and database credentials exposed in codebases, logs, or configuration files. It supports detection of various secret types, integrates with development workflows and CI/CD pipelines for early vulnerability detection, and provides actionable remediation insights. Specific tools mentioned include Legit Security, GitGuardian, AWS Secrets Manager, TruffleHog, Doppler, and GitLeaks. |
| 2026-04-10 2026 | Top 8 Git Secrets Scanners in 2026 beginner 4 min read | Library of eight Git secrets scanners, including Jit, Gitleaks, GitGuardian, HawkScan, AWS Git Secrets Scanner, Spectral, Trufflehog, and GitHub Secret Scanning, designed to detect and neutralize exposed sensitive data like API keys and credentials within code repositories. These tools employ pattern-based and ML detection, custom rules, historical and pre-commit scanning, CI/CD integration, and remediation guidance to prevent data breaches and unauthorized access by shifting security left in the development lifecycle. |
| 2026-04-10 2026 | 8 Best Secret Scanning Tools (2026) beginner 10 min read | Library for detecting hardcoded credentials, API keys, and tokens. It highlights tools like Gitleaks for pre-commit blocking, TruffleHog for live credential verification, and detect-secrets for legacy codebases. GitGuardian is noted as a leading managed platform, offering real-time monitoring and collaboration tool scanning. The library emphasizes the importance of early detection to prevent data breaches and account takeovers, contrasting the cost of pre-commit remediation with post-commit incident response. → appsecsanta.com |
| 2026-04-10 2026 | Best Secret Scanning Tools in 2025 beginner 13 min read | Library for detecting hard-coded secrets in code, configurations, and cloud infrastructure. It utilizes pattern recognition, entropy checks, and AI to identify sensitive data like API keys and passwords, aiming to prevent data breaches by automating detection and remediation. Notable features include context-aware detection correlating secrets with other vulnerabilities, one-click remediation for many secret types, and integration into developer workflows via IDE extensions and pre-commit hooks. The library supports broad scanning across Git repositories, container images, and cloud environments, offering a free tier for basic use. → aikido.dev |
| 2026-04-10 2026 | GitHub Leaked API Keys and Secrets Reference news 3 min read | Reference list of GitHub search queries designed to locate hardcoded API keys and secrets. It includes specific patterns for OpenAI API keys, GitHub OAuth/App/Personal/Refresh Access Tokens, Slack Tokens, Google API keys, Square OAuth/access tokens, and Shopify secrets. The queries utilize file path extensions and keyword combinations to filter results effectively. |
| 2026-04-10 2026 | 23.8 Million Secrets Leaked on GitHub: The Case for Expiring Credentials news 7 min read | Library for managing secrets; addresses the persistence problem where leaked credentials remain active due to lack of revocation, as seen in the 23.8 million secrets found on GitHub, impacting collaboration tools like Slack and Jira, private repositories, and even increasing with AI assistants like GitHub Copilot. This library focuses on built-in expiration for shared credentials, offering a solution beyond traditional secrets managers like HashiCorp Vault or AWS Secrets Manager. |
| 2026-04-10 2026 | GitHub is Awash with Leaked AI Company Secrets news 4 min read | Survey of leaked AI company secrets on GitHub by Wiz reveals that 65% of examined companies exposed sensitive data like API keys and tokens. Leaks were found in deleted forks, gists, and developer repositories, potentially exposing organizational structures, training data, or private models. Companies like Anthropic and ElevenLabs were affected, with plaintext API keys and HuggingFace tokens for private models discovered. This research highlights significant security risks, with Palo Alto Networks data showing AI data security incidents doubling. Wiz recommends proactive secret scanning and establishing clear disclosure channels. |
| 2026-04-10 2026 | The State of Secrets Sprawl 2026: AI-Service Leaks Surge 81% news 5 min read | Report detailing the surge in hardcoded secrets on public GitHub, with AI service leaks increasing 81% and LLM infrastructure leaking 5x faster than core model providers. The analysis highlights insecure patterns in MCP configuration guides, the significant risk of secrets in internal repositories and collaboration tools like Slack and Jira, and the expanding attack surface of developer workstations and CI/CD runners due to AI agents. It also emphasizes the persistent issue of un-remediated valid secrets and the critical need for robust Non-Human Identity (NHI) governance. → blog.gitguardian.com |
| 2026-04-10 2026 | State of Secrets Sprawl Report 2025 news 2 min read | Report analyzing secrets sprawl in 2024, revealing 4.61% of public repositories contained secrets and 31% of breaches involved stolen credentials. GitGuardian's AI identifies more generic secrets than GitHub's Push Protection, which struggles with keys like MySQL and MongoDB credentials. Private repositories are nine times more likely to leak secrets, with widespread exposures found in Slack, Jira, and Confluence. Leaked secrets include AWS IAM, Slack webhooks, and Azure AD API keys, highlighting risks from misconfigurations, non-human identities, and AI tools like GitHub Copilot. Artifactory token leaks and AWS S3 ransomware attacks demonstrate the severe supply chain and operational impact of exposed credentials. |
| 2026-04-10 2026 | AI Frenzy Feeds Credential Chaos news 3 min read | Report from GitGuardian on secrets sprawl reveals 28.65 million hardcoded secrets in public GitHub commits in 2025, with exposure extending to internal repositories, collaboration platforms like Slack and Jira, and self-hosted infrastructure. AI development workflows introduce new credentials for model providers and agent frameworks, contributing to the rise in leaked secrets across code and configuration files. Many exposed credentials remain valid for years, complicating remediation efforts and widening the attack surface. → helpnetsecurity.com |
| 2026-04-10 2026 | GitHub Secret Leaks: 13 Million API Credentials in Public Repos news | GitHub Secret Leaks: 13 Million API Credentials in Public Repos |
| 2026-04-10 2026 | Best Secret Scanning Tools For 2026 beginner 14 min read | Library from SentinelOne scans code repositories for over 750 types of hardcoded secrets, including API keys and cloud tokens, preventing leakage and unauthorized access. It integrates into CI/CD pipelines, supports GitHub, GitLab, and BitBucket, and offers agentless vulnerability scanning with over 1,000 rules. Its CNAPP capabilities include Cloud Security Posture Management, Cloud Workload Security with AI-powered runtime protection, and Cloud Infrastructure Entitlement Management for tightening permissions and reducing alert fatigue. → sentinelone.com |
| 2026-04-10 2026 | 29 Million Secrets Leaked: AI Coding Tools Making It Worse news 7 min read | Library for detecting hardcoded secrets in code, especially concerning AI coding assistants like Copilot and Claude Code. The GitGuardian 2026 State of Secrets Sprawl report highlights a 34% increase in leaked secrets, with AI-generated code exhibiting a 3.2% secrets leak rate, double that of human-only commits. The library integrates with tools like gitleaks and detect-secrets for pre-commit hooks and CI/CD scanning, and emphasizes .gitignore configurations, secrets vault integration with AWS Secrets Manager and HashiCorp Vault, AI tool configuration audits, and secret rotation policies. |
| 2026-04-10 2026 | The State of Secrets Sprawl 2026: 9 Takeaways for CISOs news 4 min read | Library of insights from GitGuardian's State of Secrets Sprawl 2026 report detailing the accelerating growth of hardcoded secrets, with 29 million uncovered in 2025. The analysis highlights AI's impact, the 6x higher leak rate in internal repositories, and secrets found outside code in tools like Slack and Jira. It notes the continued validity of leaked secrets and the emergence of developer endpoints as credential aggregation layers, emphasizing the need for non-human identity governance over simple detection. → thehackernews.com |
| 2026-04-10 2026 | The State of Secrets Sprawl 2025 news 3 min read | Report on the State of Secrets Sprawl 2025 details a significant increase in leaked secrets, with 23.8 million found on public GitHub in 2024, a 25% rise. Generic secrets comprise 58% of leaks, and a troubling 70% of secrets from 2022 remain active, expanding the attack surface. The report highlights that 35% of private repositories also contain secrets, including AWS IAM keys and hardcoded passwords, and secrets are prevalent across the SDLC in tools like Jira and Slack. The U.S. Treasury Department's BeyondTrust breach illustrates the real-world impact of exposed credentials. → blog.gitguardian.com |
| 2026-04-10 2026 | The Complete 2026 Secrets Management Guide beginner 4 min read | Reference for secrets management, detailing techniques like SOPS with age for encrypted Git commits and Infisical for team-scale self-hosting. It highlights strategies to combat "Secrets Sprawl," including least privilege access, automated rotation, and embedding secrets scanning with tools like Gitleaks in pre-commit hooks and CI/CD pipelines, while warning against plaintext storage, shared super accounts, and unexpiring tokens. |
| 2026-04-08 2026 | AI coding assistants twice as likely to leak secrets as overall leaks rise 34% news | Library detailing the rise of leaked secrets, which saw a 34% increase overall and an 81% surge tied to AI services according to GitGuardian’s State of Secrets Sprawl 2026 report. The report highlighted AI coding assistants are twice as likely to leak secrets. It also referenced the Shai-Hulud supply chain attack in late 2025, which exposed nearly 300,000 secret occurrences on developer machines. A specific incident involved Cursor, an AI coding agent running Claude Opus, deleting PocketOS’s production database and backups. → scworld.com |
| 2026-04-06 2026 | Secure Code Scanning: Basics & Best Practices beginner 8 min read | Library for secure code scanning, a practice vital for identifying and resolving security flaws, code smells, and data privacy risks across first-party code, third-party libraries, and container images. It leverages techniques like flow-based analysis and pattern matching to detect vulnerabilities such as SQL injection and RCE, citing real-world examples like the MOVEit Transfer and Ollama (CVE-2024-37032) incidents. The library aids in preventing costly data breaches by integrating security into the SDLC and offers Software Composition Analysis (SCA) to manage dependencies and licenses. → wiz.io |
| 2026-04-06 2026 | Zen AI Pentest GitHub Action intermediate 18 min read | Library for an AI-powered penetration testing framework that integrates with GitHub Actions. It executes real security tools like Nmap, Nuclei, and SQLMap within isolated Docker sandboxes, employing safety controls such as private IP blocking and resource limits. The framework features a ReAct pattern with a state machine, memory system, and multi-agent collaboration for automated tool selection, execution, and self-correction, generating comprehensive PDF, HTML, and DOCX reports with evidence collection and chain of custody. |
| 2026-04-06 2026 | Shift Left Security That Developers Actually Keep Enabled beginner 12 min read | Library for architecting security checks into CI/CD pipelines based on speed and false positive rates. This framework assigns checks to stages like pre-commit (under 30s), PR checks (under 2m), and merge gates (under 5m) to maintain developer velocity. It recommends secret scanning and targeted SAST for pre-commit, functional security tests and dependency scanning for PR checks, and broad SAST and container scanning for merge gates, with async tasks for remaining checks. |
| 2026-04-06 2026 | CERT-EU Confirms Trivy Supply Chain Attack Led to Credential Exposure news 3 min read | Library provides specific MITRE ATT&CK techniques, including Supply Chain Compromise (T1195.002), Cloud Account Compromise (T1586.003), Valid Cloud Accounts (T1078.004), and Data from Local System (T1005), illustrating a supply chain attack on the European Commission via a compromised Trivy version. This incident, detailed by CERT-EU and involving threat actors TeamPCP and extortion group ShinyHunters, led to the exfiltration of over 340 GB of data by exploiting AWS API keys and utilizing tools like TruffleHog. Recommendations include updating Trivy, rotating secrets, restricting CI/CD access, and enabling CloudTrail logs. → cybersecuritynews.com |
| 2026-04-06 2026 | The Claude Code Security Checklist: What the Source Code Reveals intermediate 14 min read | Library for auditing AI coding assistants, particularly Claude Code, by analyzing its leaked source code. The library details specific security controls organizations should verify, covering aspects like discovering all AI deployments, auditing `.mcp.json` files for MCP server connections, bounding bash tool scope, testing path traversal defenses against various attack vectors, and assessing sub-agent spawning permissions. These controls, applicable to tools like Cursor and GitHub Copilot, aim to mitigate risks exposed by the source leak, such as undocumented deployments and misconfigured MCP servers granting access to sensitive data or production systems. |
| 2026-04-06 2026 | Hardcoded Secrets in AI-Generated Code: Catch Them Before They Ship intermediate 6 min read | Toolset offering a defensive strategy against hardcoded secrets in AI-generated code, specifically addressing CWE-798. This approach leverages Gitleaks for pre-commit hook protection, preventing secrets from entering repositories, and TruffleHog for deep scanning of git history, S3 buckets, and CI/CD logs with credential verification. The article highlights common AI patterns for leakage, such as inline credentials, client-side bundle leaks, and un-ignored .env files, and emphasizes the importance of these tools for mitigating risks like those seen in the Moltbook incident. |
| 2026-04-03 2026 | AWS Secrets Manager vs HashiCorp Vault [2026] beginner 6 min read | Comparison of AWS Secrets Manager and HashiCorp Vault analyzes their strengths and weaknesses for enterprise secret management. It highlights differences in secrets storage, access control via IAM versus Vault's policies, and ecosystem integrations. The analysis also touches on scalability, audit capabilities, and user experience, noting Vault's shift to a source-available license and the implementation complexities of both solutions, contrasting them with Infisical's developer-focused open-source alternative. |
| 2026-04-03 2026 | AWS Secrets Engine | HashiCorp Vault beginner 15 min read | Library for dynamically generating AWS credentials. This secrets engine creates IAM users, assumes roles, or generates federation and session tokens based on defined Vault roles. It supports creating short-lived, time-bound credentials automatically revoked upon lease expiration, offering an alternative to static IAM user management. Configuration involves enabling the engine, setting root AWS credentials for Vault's communication, and defining Vault roles that map to AWS IAM policies and credential types. |
| 2026-04-03 2026 | Researcher Unearths Thousands of Leaked Secrets in GitHub's "Oops Commits" news 2 min read | Tool, Force Push Scanner, identifies and scans orphaned Git commits for leaked secrets, including GitHub PATs and AWS credentials. Developed by Truffle Security and Sharon Brizinov, this open-source utility leverages GH Archive data and TruffleHog scanning to uncover sensitive information like MongoDB credentials and API tokens potentially exposed in force-pushed or deleted commits, mitigating supply-chain attack risks. → infoq.com |
| 2026-04-03 2026 | How to Detect and Clean Up Leaked Secrets in Your Git Repositories intermediate 5 min read | Guide on detecting and cleaning leaked secrets in Git repositories. It details using tools like Gitleaks and Trufflehog for detection, and BFG Repo-Cleaner for historical cleanup, emphasizing the importance of backups due to the destructive nature of history manipulation. |
| 2026-04-03 2026 | Secret Scanning Tools 2026: Protect Code and Prevent Credential Leaks beginner 16 min read | Library for detecting and preventing secret leaks in code, offering continuous scanning, broad detector coverage for AWS, GCP, Azure, and internal tokens, and integration with GitHub, GitLab, and Slack. It utilizes pattern matching, entropy detection, and context-aware validation, with machine learning to reduce false positives and dedicated remediation workflows to address detected issues across the software development lifecycle. → blog.gitguardian.com |
| 2026-04-03 2026 | TruffleHog vs. Gitleaks: A Detailed Comparison intermediate 7 min read | Library comparing TruffleHog and Gitleaks, popular secret scanning tools that identify hardcoded secrets like API keys and tokens within codebases and other environments. TruffleHog offers extensive scanning across S3 buckets and Docker images with advanced verification, while Gitleaks provides a lightweight, fast, and user-friendly experience focused on code repositories, excelling in CI environments. Both integrate into the SDLC to proactively detect and rectify leaked credentials, preventing unauthorized access and security breaches. |
| 2026-04-03 2026 | Why 28 Million Credentials Leaked on GitHub in 2025 | Snyk news 17 min read API Sec | Library for detecting and preventing leaked secrets, including API keys, database passwords, cloud IAM credentials, and AI service keys. It addresses accidental commits to Git, insecure .env file practices, supply chain attacks via malicious packages like Shai-Hulud and compromised versions of TruffleHog, and leaks through non-code surfaces such as Slack, Jira, and Docker Hub. The library also highlights the growing risk from AI-assisted development and MCP server credentials, differentiating its secret scanning capabilities from SAST tools by emphasizing the analysis of full Git history, including deleted files. → snyk.io |
| 2026-04-03 2026 | Gitleaks - Find Secrets with Gitleaks beginner 14 min read | Tool for detecting secrets like passwords, API keys, and tokens in git repos, files, and via stdin. Gitleaks supports scanning via `git`, `dir`, and `stdin` commands, and can be integrated as a pre-commit hook or GitHub action. It allows for baseline scanning to ignore old findings and custom rule configuration. |
| 2026-04-03 2026 | TruffleHog - Find, Verify, and Analyze Leaked Credentials beginner 14 min read | Tool for discovering, classifying, validating, and analyzing leaked credentials. TruffleHog scans Git, Jira, Slack, Confluence, Microsoft Teams, SharePoint, S3 buckets, GCS, and Docker images for over 800 secret types, including API keys and database passwords. It can verify if secrets are live and enrich findings by determining resource access and permissions. TruffleHog includes protections against malicious Git configurations, addressing CVE-2025-41390. |
| 2026-04-03 2026 | Secrets Management - OWASP Cheat Sheet Series beginner 40 min read | Cheatsheet outlining best practices for secrets management, crucial for DevOps environments. It covers high availability, centralization and standardization of secret storage, fine-grained access control based on the Least Privilege principle, and automation of secret management through pipelines, dynamic secrets, and automated rotation. Architectural patterns are illustrated with examples like Kubernetes sidecar containers for HashiCorp Vault and serverless functions for AWS Secrets Manager. → cheatsheetseries.owasp.org |
| 2026-03-02 2026 | Breaking the Trust Boundary: SSRF via a Misconfigured Sentry Tunnel intermediate SSRF | Free Article Link: Click for free! → infosecwriteups.com |
| 2026-02-02 2026 | depthfirst | 1-Click RCE To Steal Your Moltbot Data and Keys advanced 5 min read AI RCE | Analysis of CVE-2026-25253 in OpenClaw details a 1-click RCE exploit achieved by chaining a logic flaw in gateway URL ingestion with Cross-Site WebSocket Hijacking (CSWSH). The vulnerability allows an attacker to steal authentication tokens, bypass localhost restrictions, disable security features like user confirmations and sandboxing via API calls, and execute arbitrary commands on the victim's machine. |
| 2025-08-24 2025 | GitHub - dele-to/dele-to: Share sensitive credentials and secrets securely with client-side AES-256 encryption, zero-knowledge architecture, and automatic self-destruction. beginner 6 min read | Library for securely sharing sensitive credentials and secrets, DELE.TO employs client-side AES-256-GCM encryption and a zero-knowledge architecture, ensuring encryption keys never reach the server. It features automatic self-destruction through configurable expiration times and view limits, offering an alternative to tools like PasswordPusher and Bitwarden Send. |
| 2025-03-10 2025 | GitHub - vsec7/BurpSuite-Xkeys: A Burp Suite Extension to extract interesting strings (key, secret, token, or etc.) from a webpage. intermediate Burp | Extension for Burp Suite that passively scans webpages to extract interesting strings like keys, secrets, and tokens. It lists these findings as information issues and can be configured by adding the Python script through the Extender tab after setting up the Jython environment. The extension identifies assets and displays results in the issues box and extender output, supporting various key-value pair formats. |
| 2025-03-08 2025 | GitHub - trufflesecurity/trufflehog-burp-suite-extension: Official TruffleHog Burp Suite Extension. Scan Burp Suite traffic for 800+ different types of secrets (API keys, passwords, SSH keys, etc) using TruffleHog. intermediate 2 min read Burp | Extension for Burp Suite that scans HTTP traffic for over 800 types of secrets, including API keys, passwords, and SSH keys, leveraging TruffleHog. It operates by writing traffic to temporary files and invoking TruffleHog scans every 10 seconds, reporting findings in a dedicated tab. The extension supports secret verification and can be configured to scan various Burp Suite traffic sources. |
| 2024-10-24 2024 | Cryptography — The Hitchhiker's Guide to Python beginner 2 min read Python | Library for Python cryptography, offering a high-level `Fernet` symmetric encryption recipe and low-level "hazmat" primitives. Includes GPGME Python bindings for access to the GNU Privacy Guard suite, supporting encryption and decryption using GPG and S/MIME engines. Examples demonstrate generating keys, encrypting and decrypting messages, and file encryption. |
| 2024-09-11 2024 | Browser Stored Credentials beginner 8 min read | Library for harvesting credentials from browsers, focusing on T1555.003. It details how modern browsers like Chrome and Edge utilize DPAPI for encrypting user credentials and outlines the file locations for storing this sensitive data. The library discusses tools like Lazagne, SharpChrome, and DonPAPI, emphasizing that detection should focus on the behavior of processes accessing credential files and the CryptUnprotectData API, rather than signature-based methods. It provides a playbook for purple teams to emulate this technique and assess SOC detection capabilities. |
| 2024-08-27 2024 | Thousands of Corporate Secrets Were Left Exposed. This Guy Found Them All news 6 min read OSINT | Writeup detailing researcher Bill Demirkapi's methods for discovering thousands of hard-coded developer secrets, including API keys and credentials for entities like Nebraska's Supreme Court and Stanford University, by leveraging VirusTotal's Retrohunt feature and YARA rules. The writeup also covers his identification of 66,000 websites with dangling subdomain issues, which could lead to hijacking and other attacks, using passive DNS replication data. Demirkapi developed an automated revocation process for exposed secrets, notably with OpenAI's assistance. → wired.com |
| 2023-11-08 2023 | maxgoedjen/secretive beginner 2 min read | Library for securing SSH private keys using macOS Secure Enclave and Touch ID, preventing export and enabling authenticated access. It also supports Smart Cards like YubiKeys for Macs lacking Secure Enclaves, and provides access notifications. Builds are attested via GitHub Artifact Attestation, and Secretive relies on Keychain APIs for key management, requiring consistent bundle IDs for successful access. Secrets stored in the Secure Enclave are non-exportable, necessitating recreation on new machines. |
| 2023-09-06 2023 | Results of Major Technical Investigations for Storm-0558 Key Acquisition news AuthN | Results of Major Technical Investigations for Storm-0558 Key Acquisition https://ift.tt/ikRNGrj |
| 2023-08-22 2023 | OWASP/wrongsecrets beginner 18 min read | Game challenging users to find intentionally hidden secrets within code, configuration files, Docker containers, and cloud deployments. It provides over 65 real-world examples of common secrets management mistakes, including exposed credentials in Spring Boot applications, and offers online and local Docker-based setups. Advanced users can explore Kubernetes and cloud challenges, utilizing tools like Minikube and cloud accounts for practical learning. |
| 2023-08-05 2023 | How To Keep A Secret in Python Apps intermediate 67 min read Python | Library for managing secrets in Python applications, emphasizing that hard-coding credentials like API keys and database passwords in source code is a major security risk. It highlights the `keyring` Python library for secure OS-native storage, the importance of threat modeling, and suggests tools like password managers, PinPal for memorization, and macOS Keychain for user-prompted secret access. The library also touches on secure CI/CD practices with GitHub Actions secrets and the fundamental need for local machine security through disk encryption. |
| 2022-03-17 2022 | Favorite tweet by @0x1shu beginner Bug Bounty | Favorite tweet: 🧙♂️Git Secrets Leaks Simplified by @sec_r0 ✨ In this flyer, you'll learn about how git works and the reason behind the git secrets leaks. Download the flyer: https://t.co/zMruBpl6c4 ... |
| 2022-01-15 2022 | Source Code Disclosure via Exposed .git Folder intermediate | Source Code Disclosure via Exposed .git Folder |
| 2021-10-14 2021 | Finding Sensitive Data Leaks In Code Using ShiftLeft CORE intermediate | Finding Sensitive Data Leaks In Code Using ShiftLeft CORE |
| 2021-10-10 2021 | New CS proposal: Avoiding password and sensitive shared data transmission #685 beginner 2 min read AuthN | Cheatsheet proposal addressing secure password and sensitive data transmission by leveraging HMAC. This approach allows users to authenticate without sending passwords to the server, mitigating transmission-related attacks. The objective is to educate developers that passwords need only be handled on the client-side for authentication verification, with the server only involved during initial password setup for secure hashing and storage. This method avoids the need for server-side password processing in many use cases, referencing IETF RFC 2104. |
| 2021-09-20 2021 | TruffleHog The Chrome Extension beginner 2 min read | Tool for detecting API keys and other secrets like `.git` directories and `.env` files within JavaScript code and client-side applications. It leverages permissive CORS headers from services like AWS to identify instances where credentials might be inadvertently exposed, as demonstrated by an example on weather.com. The extension can be side-loaded while awaiting review on the Google Extension Store. → trufflesecurity.com |
| 2021-08-24 2021 | The last S3 security document that well ever need and how to use it beginner 4 min read | ThreatModel for Amazon S3 is an open-source document detailing customer responsibilities for securing AWS's Simple Storage Service. This comprehensive 160-page resource, available on GitHub, helps security architects, DevOps teams, and governance specialists navigate the complexities of S3 security. It provides prioritized control implementation lists, feature class analysis with data flow diagrams, compliance mapping to frameworks like PCI DSS, and guidance for large enterprise onboarding and risk tolerance assessments, aiming to reduce security incidents. |
| 2021-06-21 2021 | 0 : 2 Secrets Management 05202021.pptx beginner | This presentation, titled "Secrets Management," from May 20, 2021, likely covers strategies and best practices for securely managing sensitive information like API keys, passwords, and certificates within an organization. Key topics would probably include identifying what constitutes a "secret," common vulnerabilities, and methods for protecting these secrets throughout their lifecycle, from creation to rotation and eventual destruction. The goal is to prevent unauthorized access and data breaches by implementing robust secrets management solutions. No specific bug bounty payout amount is mentioned in the provided title. |
Frequently Asked Questions
- How do secrets leak into code repositories?
- Secrets commonly leak through developer mistakes: hardcoding API keys during development, committing .env files, leaving credentials in test fixtures, pasting tokens into comments, or including secrets in Docker build arguments. Even if removed in later commits, secrets persist in git history unless the repository is rewritten with tools like git-filter-repo or BFG Repo Cleaner.
- What tools detect leaked secrets?
- TruffleHog and GitLeaks scan git repositories for high-entropy strings and known credential patterns. GitHub Secret Scanning alerts on known token formats from partner services. Pre-commit hooks using detect-secrets or gitleaks can prevent commits containing secrets. For CI/CD, tools like talisman and SpectralOps provide pipeline-level scanning.
- What should you do when a secret is leaked?
- Immediately rotate the compromised credential — assume it has been captured. Revoke the old key, generate a new one, and update all systems using it. Then remove the secret from git history if it was committed. Review access logs for the compromised credential to assess if it was exploited. Finally, implement prevention measures to stop future leaks.
Weekly AppSec Digest
Get new resources delivered every Monday.