All news with #hardcoded secrets tag

🛡️ The rapid rise of AI-assisted and vibe coding is accelerating secrets sprawl, with developers and AI agents increasingly introducing credentials, tokens, and private data into code and collaboration tools. Security researchers from Wiz and independent analysts found a Jan. 28, 2026 Moltbook backend misconfiguration on Supabase that exposed 1.5 million API authentication tokens, tens of thousands of emails, and private messages. Organizations report that detection is outpacing remediation: many teams can find leaks but lack governance and processes to revoke, rotate, and purge secrets at scale. Experts urge treating the issue as identity governance, embedding security into the SDLC, and enforcing short-lived credentials and automated rotation.

⚠️The MAXHUB Pivot client (versions prior to v1.36.2) contains a vulnerability (CVE-2026-6411) that can expose tenant email addresses and related metadata in cleartext due to a hardcoded AES key embedded in the application. An attacker who obtains the encrypted data can decrypt it, and the product's MQTT enrollment mechanism may be abused to register multiple unauthorized devices, potentially causing denial of service. MAXHUB released v1.36.2 via OTA; update immediately.

🔐 Two independent research efforts from Irregular and Kaspersky demonstrate that modern LLMs produce passwords that are structurally predictable and far lower in effective entropy than they appear. Models often repeat the same strings across sessions and conform to human-like patterns that fool standard strength meters. Autonomous coding agents are embedding these credentials into configuration files and repositories, and conventional secret scanners lack the means to detect them. Organizations should audit codebases, rotate suspect credentials, and require explicit use of cryptographically secure RNGs for all generated secrets.

🔒 GitGuardian's State of Secrets Sprawl 2026 shows leaks accelerated in 2025, uncovering 29 million new hardcoded secrets — a 34% year-over-year increase and the largest single-year jump recorded. The report highlights three core trends: AI-driven credential exposures, unexpectedly widespread internal-repo and collaboration-tool leaks, and persistent remediation failures. It urges a shift from detection to continuous non-human identity governance, secrets vaulting, and automated rotation to reduce attacker access.

🔑 South Korea's National Tax Service (NTS) accidentally included a photograph in a press release that exposed a handwritten cryptocurrency mnemonic seed phrase next to a seized Ledger device. Within hours the wallet holding roughly 4 million PRTG tokens (about US $4.8M) was emptied. The NTS removed the release and issued an apology; the incident underscores that publishing a wallet's seed phrase instantly nullifies any cold-storage security.

🔓 South Korea’s National Tax Service inadvertently exposed the mnemonic recovery phrase of a seized Ledger hardware wallet in a press release, enabling an attacker to drain approximately $4.8 million in crypto. The assets were confiscated during raids on 124 high-value tax evaders, but photos released by authorities showed a handwritten seed phrase that was not redacted. On-chain analysis shows the attacker deposited ETH for gas and moved 4 million Pre-Retogeum (PRTG) tokens to a new address in three transactions. The NTS removed the press release, and it is unclear whether a formal investigation has been launched.

⚠️ Security researchers found widespread vulnerabilities across ten Android mental-health apps that together exceed 14.7 million installs and could expose highly sensitive therapy and medical data. Oversecured's scans from January 22–23, 2026 identified 1,575 issues — 54 high-, 538 medium-, and 983 low-severity — which could enable credential interception, HTML injection, spoofing, and location leaks. Findings include use of Intent.parseUri() on external input, plaintext API endpoints and hardcoded Firebase URLs, insecure token generation with java.util.Random, and overly permissive local file access.

🔐 Intruder's research scanned roughly 5 million web applications and identified over 42,000 exposed tokens across 334 secret types, revealing widespread leakage in front-end JavaScript bundles. The report shows how traditional path-and-regex scanners, many SAST tools, and some DAST deployments miss secrets introduced during build and deployment, especially in SPAs. High-impact findings included active GitHub/GitLab personal access tokens, project-management API keys, and hundreds of live webhooks; Intruder developed automated SPA secrets detection to close these gaps.

🔓 A security researcher reported that a Home Depot employee accidentally published a private GitHub access token in early 2024, which granted access to private repositories and cloud infrastructure. When tested, the token allowed write permissions to Home Depot repos and access to order fulfillment and inventory systems. The researcher said multiple disclosure emails went unanswered; the token was removed after TechCrunch contacted the company.

🔐 Hackers are exploiting an undocumented cryptographic flaw in Gladinet's CentreStack and Triofox products that exposes hardcoded AES keys and enables remote code execution. Huntress researchers found static 100-byte strings in GladCtrl64.dll that produce identical encryption keys and IVs across installations, allowing attackers to decrypt or forge access tickets. Attackers have used this to retrieve web.config and abuse the machineKey with a ViewState deserialization flaw for RCE. Gladinet released patches and IoCs; customers should upgrade immediately and rotate machine keys.

🔐 Huntress warns that hard-coded cryptographic keys in Gladinet CentreStack and Triofox allow attackers to decrypt or forge access tickets, exposing sensitive files such as web.config. The flaw stems from a function that returns the same 100-byte strings to derive persistent keys, enabling indefinite reuse of crafted URLs to download server configuration. Organisations should update to version 16.12.10420.56791 and rotate machine keys immediately.

🔒 A November scan by threat intelligence firm Flare found 10,456 Docker Hub images exposing credentials, including live API tokens for AI models and production systems. The leaks span about 101 organizations — from SMBs to a Fortune 500 company and a major national bank — and often stem from mistakes like committed .env files, hardcoded tokens, and Docker manifests. Flare urges immediate revocation of exposed keys, centralized secrets management, and active SDLC scanning to prevent prolonged abuse.

🔒 Security researchers at watchTowr discovered that two popular code utility sites — JSON Formatter and Code Beautify — inadvertently exposed thousands of developer submissions containing sensitive secrets and credentials. By querying a public API and the sites’ “Recent Links” listings, the team extracted over 80,000 submissions spanning years, including API keys, private keys, database and cloud credentials, JWTs, and PII. The exposure remained until the sites disabled the save feature; watchTowr also confirmed active scraping by third parties and reported limited response from affected organizations.

🔐 New research by cloud security firm Wiz found verified secret leaks in 65% of the Forbes AI 50, with API keys and access tokens exposed on GitHub. Some credentials were tied to vendors such as Hugging Face, Weights & Biases, and LangChain, potentially granting access to private models, training data, and internal details. Nearly half of Wiz’s disclosure attempts failed or received no response. The findings highlight urgent gaps in secret management and DevSecOps practices.

🔒 A Wiz analysis of 50 private companies from the Forbes AI 50 found that 65% had exposed verified secrets such as API keys, tokens and credentials across GitHub and related repositories. Researchers employed a Depth, Perimeter and Coverage approach to examine commit histories, deleted forks, gists and contributors' personal repos, revealing secrets standard scanners often miss. Affected firms are collectively valued at over $400bn.

🔒 Researchers at Wiz found that careless developers published Visual Studio extensions to the VSCode Marketplace and OpenVSX containing more than 550 validated secrets across over 500 extensions, including API keys and personal access tokens for providers such as OpenAI, AWS, GitHub, Azure DevOps, and multiple databases. The primary cause was bundled dotfiles (notably .env) and hardcoded credentials in source and config files, with AI-related configs and build manifests also contributing. Microsoft and OpenVSX collaborated with Wiz on coordinated remediation: notifying publishers, adding pre-publication secrets scanning, blocking verified secrets, and prefixing OVSX tokens to reduce abuse.

🔒 AutomationDirect has disclosed multiple vulnerabilities in the CLICK PLUS series affecting firmware releases prior to v3.71. Issues include cleartext credential storage, a hard-coded AES key, an insecure RSA implementation, a predictable PRNG seed, authorization bypasses, and resource exhaustion flaws. CVSS v4 severity reaches 8.7 for the most critical cryptographic and key-generation weaknesses. AutomationDirect and CISA recommend updating to v3.80 and applying network isolation, access restrictions, logging, and endpoint protections until patches are deployed.

🔒 As organizations shrink and security teams tighten, hardcoded secrets have become a critical, costly blind spot that manual processes can no longer manage. The article cites rising credential-driven breaches, a 292‑day average containment window, and steep financial impacts when secrets are exposed. It contends that precision remediation — contextual ownership, integrated workflows, and automated rotation — is essential to reduce remediation from weeks to hours and to curb analyst overhead. GitGuardian is presented as an example of this targeted remediation approach.

🔒 The 2025 Zimperium Global Mobile Threat Report finds that one in three Android apps and more than half of iOS apps leak sensitive information through insecure APIs, and nearly half of apps contain hardcoded secrets such as API keys. Client-side weaknesses let attackers tamper with apps, intercept traffic and bypass perimeter defences. The report recommends API hardening and app attestation to ensure API calls originate from genuine, untampered apps.

⚠️ One July morning a startup founder watched a production database vanish after a Replit AI assistant suggested—and a developer executed—a destructive command, underscoring dangers of "vibe coding," where plain-English prompts become runnable code. Experts say this shortcut accelerates prototyping but routinely introduces hardcoded secrets, missing access controls, unsanitized input, and hallucinated dependencies. Organizations should treat AI-generated code like junior developer output, enforce CI/CD guardrails, and require thorough security review before deployment.