< ciso
brief />
Tag Banner

All news with #hardcoded secrets tag

31 articles

Study: 282 iOS Apps Expose LLM API Keys in Traffic

πŸ” Researchers tested 444 iPhone AI chatbot apps and found 282 leaking paid AI access via network traffic, often as plaintext keys, reusable tokens, or unsecured backend relays. The team used a tool called LLMKeyLens to capture credentials without jailbreaking. Only 28% of affected apps were fixed after three months; many tokens remained valid and susceptible to costly misuse.
read more β†’

NAVTOR NavBox hard-coded SOAP credentials fix

πŸ”’ NAVTOR NavBox through version 4.16.1.20 contained hard-coded credentials in its Windows Communication Foundation (SOAP) implementation. If SOAP is enabled, a local attacker could extract those credentials to authenticate to privileged WCF methods and write or overwrite files within application-defined paths, disrupting operations. NAVTOR released a patch in April 2026; versions 4.17.2.6 and later include the fix, and connected NavBox users will be updated automatically.
read more β†’

KnowledgeDeliver zero-day enables web shell installs

πŸ›‘οΈ Mandiant found attackers exploited a critical unauthenticated deserialization flaw (CVE-2026-5426) in KnowledgeDeliver LMS to deliver the Godzilla web shell. The issue stemmed from a shared hardcoded ASP.NET machineKey across customer deployments, allowing signed malicious ViewState payloads and remote code execution. Compromised installations were used to push fake installers, deploy Cobalt Strike beacons, and modify site scripts to load attacker-controlled payloads.
read more β†’

AI Coding Fuels Secrets Sprawl, CISOs Struggle to Contain

πŸ›‘οΈ The rapid rise of AI-assisted and vibe coding is accelerating secrets sprawl, with developers and AI agents increasingly introducing credentials, tokens, and private data into code and collaboration tools. Security researchers from Wiz and independent analysts found a Jan. 28, 2026 Moltbook backend misconfiguration on Supabase that exposed 1.5 million API authentication tokens, tens of thousands of emails, and private messages. Organizations report that detection is outpacing remediation: many teams can find leaks but lack governance and processes to revoke, rotate, and purge secrets at scale. Experts urge treating the issue as identity governance, embedding security into the SDLC, and enforcing short-lived credentials and automated rotation.
read more β†’

MAXHUB Pivot Client Vulnerability Exposes Emails Now

⚠️The MAXHUB Pivot client (versions prior to v1.36.2) contains a vulnerability (CVE-2026-6411) that can expose tenant email addresses and related metadata in cleartext due to a hardcoded AES key embedded in the application. An attacker who obtains the encrypted data can decrypt it, and the product's MQTT enrollment mechanism may be abused to register multiple unauthorized devices, potentially causing denial of service. MAXHUB released v1.36.2 via OTA; update immediately.
read more β†’

LLM-Generated Passwords Are Structurally Predictable

πŸ” Two independent research efforts from Irregular and Kaspersky demonstrate that modern LLMs produce passwords that are structurally predictable and far lower in effective entropy than they appear. Models often repeat the same strings across sessions and conform to human-like patterns that fool standard strength meters. Autonomous coding agents are embedding these credentials into configuration files and repositories, and conventional secret scanners lack the means to detect them. Organizations should audit codebases, rotate suspect credentials, and require explicit use of cryptographically secure RNGs for all generated secrets.
read more β†’

State of Secrets Sprawl 2026: AI-Driven Credential Risk

πŸ”’ GitGuardian's State of Secrets Sprawl 2026 shows leaks accelerated in 2025, uncovering 29 million new hardcoded secrets β€” a 34% year-over-year increase and the largest single-year jump recorded. The report highlights three core trends: AI-driven credential exposures, unexpectedly widespread internal-repo and collaboration-tool leaks, and persistent remediation failures. It urges a shift from detection to continuous non-human identity governance, secrets vaulting, and automated rotation to reduce attacker access.
read more β†’

South Korea NTS Publishes Seed Phrase, Loses $4.8M Crypto

πŸ”‘ South Korea's National Tax Service (NTS) accidentally included a photograph in a press release that exposed a handwritten cryptocurrency mnemonic seed phrase next to a seized Ledger device. Within hours the wallet holding roughly 4 million PRTG tokens (about US $4.8M) was emptied. The NTS removed the release and issued an apology; the incident underscores that publishing a wallet's seed phrase instantly nullifies any cold-storage security.
read more β†’

Korean Tax Service Exposes Wallet Seed, $4.8M Stolen

πŸ”“ South Korea’s National Tax Service inadvertently exposed the mnemonic recovery phrase of a seized Ledger hardware wallet in a press release, enabling an attacker to drain approximately $4.8 million in crypto. The assets were confiscated during raids on 124 high-value tax evaders, but photos released by authorities showed a handwritten seed phrase that was not redacted. On-chain analysis shows the attacker deposited ETH for gas and moved 4 million Pre-Retogeum (PRTG) tokens to a new address in three transactions. The NTS removed the press release, and it is unclear whether a formal investigation has been launched.
read more β†’

Android Mental Health Apps Found with Security Flaws

⚠️ Security researchers found widespread vulnerabilities across ten Android mental-health apps that together exceed 14.7 million installs and could expose highly sensitive therapy and medical data. Oversecured's scans from January 22–23, 2026 identified 1,575 issues β€” 54 high-, 538 medium-, and 983 low-severity β€” which could enable credential interception, HTML injection, spoofing, and location leaks. Findings include use of Intent.parseUri() on external input, plaintext API endpoints and hardcoded Firebase URLs, insecure token generation with java.util.Random, and overly permissive local file access.
read more β†’

Why secrets in JavaScript bundles remain exposed at scale

πŸ” Intruder's research scanned roughly 5 million web applications and identified over 42,000 exposed tokens across 334 secret types, revealing widespread leakage in front-end JavaScript bundles. The report shows how traditional path-and-regex scanners, many SAST tools, and some DAST deployments miss secrets introduced during build and deployment, especially in SPAs. High-impact findings included active GitHub/GitLab personal access tokens, project-management API keys, and hundreds of live webhooks; Intruder developed automated SPA secrets detection to close these gaps.
read more β†’

Leaked Home Depot GitHub Token Exposed Internal Systems

πŸ”“ A security researcher reported that a Home Depot employee accidentally published a private GitHub access token in early 2024, which granted access to private repositories and cloud infrastructure. When tested, the token allowed write permissions to Home Depot repos and access to order fulfillment and inventory systems. The researcher said multiple disclosure emails went unanswered; the token was removed after TechCrunch contacted the company.
read more β†’

Attackers Exploit Gladinet CentreStack AES Key Flaw

πŸ” Hackers are exploiting an undocumented cryptographic flaw in Gladinet's CentreStack and Triofox products that exposes hardcoded AES keys and enables remote code execution. Huntress researchers found static 100-byte strings in GladCtrl64.dll that produce identical encryption keys and IVs across installations, allowing attackers to decrypt or forge access tickets. Attackers have used this to retrieve web.config and abuse the machineKey with a ViewState deserialization flaw for RCE. Gladinet released patches and IoCs; customers should upgrade immediately and rotate machine keys.
read more β†’

Hard-coded Gladinet Keys Enable Active Exploitation

πŸ” Huntress warns that hard-coded cryptographic keys in Gladinet CentreStack and Triofox allow attackers to decrypt or forge access tickets, exposing sensitive files such as web.config. The flaw stems from a function that returns the same 100-byte strings to derive persistent keys, enabling indefinite reuse of crafted URLs to download server configuration. Organisations should update to version 16.12.10420.56791 and rotate machine keys immediately.
read more β†’

Over 10,000 Docker Hub Images Expose Live Secrets Globally

πŸ”’ A November scan by threat intelligence firm Flare found 10,456 Docker Hub images exposing credentials, including live API tokens for AI models and production systems. The leaks span about 101 organizations β€” from SMBs to a Fortune 500 company and a major national bank β€” and often stem from mistakes like committed .env files, hardcoded tokens, and Docker manifests. Flare urges immediate revocation of exposed keys, centralized secrets management, and active SDLC scanning to prevent prolonged abuse.
read more β†’

Developers Exposed Large Cache of Credentials Online

πŸ”’ Security researchers at watchTowr discovered that two popular code utility sites β€” JSON Formatter and Code Beautify β€” inadvertently exposed thousands of developer submissions containing sensitive secrets and credentials. By querying a public API and the sites’ β€œRecent Links” listings, the team extracted over 80,000 submissions spanning years, including API keys, private keys, database and cloud credentials, JWTs, and PII. The exposure remained until the sites disabled the save feature; watchTowr also confirmed active scraping by third parties and reported limited response from affected organizations.
read more β†’

AI startups expose API keys on GitHub, risking models

πŸ” New research by cloud security firm Wiz found verified secret leaks in 65% of the Forbes AI 50, with API keys and access tokens exposed on GitHub. Some credentials were tied to vendors such as Hugging Face, Weights & Biases, and LangChain, potentially granting access to private models, training data, and internal details. Nearly half of Wiz’s disclosure attempts failed or received no response. The findings highlight urgent gaps in secret management and DevSecOps practices.
read more β†’

65% of Top Private AI Firms Exposed Secrets on GitHub

πŸ”’ A Wiz analysis of 50 private companies from the Forbes AI 50 found that 65% had exposed verified secrets such as API keys, tokens and credentials across GitHub and related repositories. Researchers employed a Depth, Perimeter and Coverage approach to examine commit histories, deleted forks, gists and contributors' personal repos, revealing secrets standard scanners often miss. Affected firms are collectively valued at over $400bn.
read more β†’

Developers leaking secrets via VSCode and OpenVSX extensions

πŸ”’ Researchers at Wiz found that careless developers published Visual Studio extensions to the VSCode Marketplace and OpenVSX containing more than 550 validated secrets across over 500 extensions, including API keys and personal access tokens for providers such as OpenAI, AWS, GitHub, Azure DevOps, and multiple databases. The primary cause was bundled dotfiles (notably .env) and hardcoded credentials in source and config files, with AI-related configs and build manifests also contributing. Microsoft and OpenVSX collaborated with Wiz on coordinated remediation: notifying publishers, adding pre-publication secrets scanning, blocking verified secrets, and prefixing OVSX tokens to reduce abuse.
read more β†’

AutomationDirect CLICK PLUS Firmware Vulnerabilities Identified

πŸ”’ AutomationDirect has disclosed multiple vulnerabilities in the CLICK PLUS series affecting firmware releases prior to v3.71. Issues include cleartext credential storage, a hard-coded AES key, an insecure RSA implementation, a predictable PRNG seed, authorization bypasses, and resource exhaustion flaws. CVSS v4 severity reaches 8.7 for the most critical cryptographic and key-generation weaknesses. AutomationDirect and CISA recommend updating to v3.80 and applying network isolation, access restrictions, logging, and endpoint protections until patches are deployed.
read more β†’