< ciso
brief />
Tag Banner

All news with #secret exposure tag

76 articles

RabbitMQ flaws risk OAuth secret exposure

🔒 Cybersecurity researchers disclosed two access-control flaws in RabbitMQ that could leak OAuth client secrets and allow cross-tenant data access. Miggo's team reported one issue exposes the broker's OAuth secret to unauthenticated requests, enabling full broker takeover, while the other permits authenticated users to read other tenants' queue metadata. Affected releases begin at 3.13.0; fixes are available in recent patch releases and administrators are urged to rotate secrets and restrict management access.
read more →

RabbitMQ OAuth secret leak and authorization bypass patched

🔒 RabbitMQ has patched two critical access control flaws that could expose OAuth client secrets and leak queue/exchange metadata. Discovered by Miggo Security, CVE-2026-57219 allowed unauthenticated retrieval of OAuth configuration from an obsolete endpoint, risking full broker takeover; CVE-2026-57221 permitted authorization bypass for passive declarations, enabling reconnaissance. Users should upgrade immediately and rotate secrets.
read more →

Ghostcommit attack hides prompt injection in images

🛡️ Researchers demonstrated "Ghostcommit," a proof-of-concept attack that hides malicious instructions inside a PNG referenced by an AGENTS.md so AI code-reviewing agents read images, open .env files, and exfiltrate secrets as integer constants. The pull request appears benign to text-based reviewers and default configs often exclude images from review, letting the change merge without human oversight. In tests, several coding agents followed the image pointer and emitted the repository's .env as a tuple of integers, while some agent harnesses refused. The ASSET Research Group published code, disclosed vendors, and built a multimodal GitHub app that inspects images, code shape, and conventions to block the exploit in trials.
read more →

CISA Details Response to Exposed AWS GovCloud Keys

🔒 The US Cybersecurity and Infrastructure Security Agency (CISA) detailed its response after a contractor’s personal GitHub repository exposed AWS GovCloud credentials and internal build code. CISA’s OCIO began incident response on May 15, quickly mitigating exposure and confirming no customer data was leaked or credentials used outside CISA environments. The agency emphasized lessons learned, including stronger repo controls, improved logging, adoption of zero trust principles, and clearer reporting channels for researchers.
read more →

Study: 282 iOS Apps Expose LLM API Keys in Traffic

🔍 Researchers tested 444 iPhone AI chatbot apps and found 282 leaking paid AI access via network traffic, often as plaintext keys, reusable tokens, or unsecured backend relays. The team used a tool called LLMKeyLens to capture credentials without jailbreaking. Only 28% of affected apps were fixed after three months; many tokens remained valid and susceptible to costly misuse.
read more →

Gravity SMTP flaw exposes API keys and system data

🔒 A recently patched information disclosure flaw in the Gravity SMTP WordPress plugin (CVE-2026-4020) allows unauthenticated attackers to retrieve sensitive configuration data and API credentials via a misconfigured REST API endpoint. Wordfence observed exploit attempts beginning in May 2026 and blocking over 17 million requests, with activity spiking in early June. Site owners should update to version 2.1.5, rotate exposed credentials, and review logs for suspicious access from listed IPs.
read more →

Securing CI/CD in an agentic world: Claude Code case

🔒 Microsoft Threat Intelligence found that Anthropic’s Claude Code GitHub Action could expose CI/CD secrets when AI agents process untrusted GitHub content. A gap in sandboxing allowed the action’s Read tool to access /proc/self/environ and leak the ANTHROPIC_API_KEY; Anthropic mitigated the issue in version 2.1.128. Defenders should treat AI workflows that handle untrusted input as high-risk and apply recommended hardening controls.
read more →

Anthropic Claude Code Action flaw risk to repos

🔒 A researcher discovered a vulnerability in Anthropic's Claude Code GitHub Action that allowed takeover of public repositories via a single opened GitHub issue. Anthropic patched the core bypass in January and released fixes in claude-code-action v1.0.94, rating the issue 7.8 under CVSS v4.0 and issuing a bounty. The flaw arose from overly permissive triggers that trusted actors ending in "[bot]" and example workflows allowing non-write users, enabling indirect prompt injection to exfiltrate environment secrets and OIDC credentials. Administrators should update to v1.0.94, audit workflows for untrusted inputs, and remove unnecessary permissions and tools to prevent exfiltration.
read more →

Megalodon campaign backdoors GitHub Actions at scale

🔒 Researchers at SafeDep uncovered the Megalodon campaign that pushed 5,718 malicious commits into 5,561 public GitHub repositories during a six-hour window on May 18. The attackers modified GitHub Actions workflows to embed base64-encoded bash payloads designed to exfiltrate CI-exposed secrets such as cloud credentials, SSH keys, and OIDC tokens. The campaign used compromised Personal Access Tokens or deploy keys and forged author identities like build-bot to directly commit changes without PRs, and delivered two payload variants that either ran on every push or via workflow_dispatch triggers.
read more →

Grafana breach traced to missed GitHub token rotation

🔐 Grafana confirmed its recent data breach stemmed from a single missed GitHub workflow token that was exfiltrated after malicious TanStack npm packages executed in its CI/CD environment. The company detected the intrusion on May 1, rotated most tokens, and launched its incident response, but one token was overlooked and allowed attackers repository access. Grafana says source code wasn't altered and no customer production systems were impacted.
read more →

Contractor Exposed CISA and GovCloud Credentials Publicly

🔒 A public GitHub repository tied to a suspected CISA contractor exposed plain-text credentials—AWS tokens, GitHub access tokens, Kubernetes files, workflows and internal documents—discovered on May 14 by GitGuardian. The repo, active since November 13, 2025, contained roughly 844 MB of data and was taken offline within a day after disclosure. CISA is investigating and reports no current indication of sensitive compromise. Experts recommend centralized secret management, automated secret scanning, strict vendor controls and MFA to prevent similar exposures.
read more →

AI Coding Fuels Secrets Sprawl, CISOs Struggle to Contain

🛡️ The rapid rise of AI-assisted and vibe coding is accelerating secrets sprawl, with developers and AI agents increasingly introducing credentials, tokens, and private data into code and collaboration tools. Security researchers from Wiz and independent analysts found a Jan. 28, 2026 Moltbook backend misconfiguration on Supabase that exposed 1.5 million API authentication tokens, tens of thousands of emails, and private messages. Organizations report that detection is outpacing remediation: many teams can find leaks but lack governance and processes to revoke, rotate, and purge secrets at scale. Experts urge treating the issue as identity governance, embedding security into the SDLC, and enforcing short-lived credentials and automated rotation.
read more →

Critical Ollama Flaw Risks Data Exposure on 300K Servers

🦙 A critical vulnerability in Ollama (CVE-2026-7482) allows unauthenticated attackers to upload a crafted GGUF model file and trigger an out-of-bounds heap read in the model quantization pipeline. The flaw can leak process memory — including system prompts, conversation history, environment variables, API keys, and other secrets — to remote servers. Update to Ollama 0.17.1 and restrict network access.
read more →

Cursor extension flaw exposes local API credentials

🔒 A high-severity vulnerability in the AI-powered development tool Cursor allows installed extensions to read sensitive credentials stored locally, researchers at LayerX report. The issue stems from Cursor keeping API keys, session tokens and cached configuration in an unprotected SQLite database rather than using OS keychains or encryption, and it does not restrict extension access. LayerX assigned the flaw a CVSS score of 8.2 and demonstrated silent exfiltration without user prompts. Cursor acknowledged the notice but said trust boundaries are the user's responsibility; as of 28 April 2026 the vulnerability remains unresolved.
read more →

Toxic Cross-App Permissions: AI Agents Create Risk

🔐 Researchers disclosed a major data exposure at Moltbook on January 31, 2026, revealing 35,000 emails and 1.5 million agent API tokens across 770,000 agents. Private messages contained plaintext third-party credentials, including OpenAI API keys, creating what the article calls a toxic combination — cross-app permissions that compound risk. The piece urges shifting review from single apps to the bridges between them and highlights procedural controls and dynamic SaaS security platforms like Reco to monitor runtime trust relationships and revoke risky tokens before exfiltration.
read more →

LLM-Generated Passwords Are Structurally Predictable

🔐 Two independent research efforts from Irregular and Kaspersky demonstrate that modern LLMs produce passwords that are structurally predictable and far lower in effective entropy than they appear. Models often repeat the same strings across sessions and conform to human-like patterns that fool standard strength meters. Autonomous coding agents are embedding these credentials into configuration files and repositories, and conventional secret scanners lack the means to detect them. Organizations should audit codebases, rotate suspect credentials, and require explicit use of cryptographically secure RNGs for all generated secrets.
read more →

LiteLLM Supply-Chain Turns Dev Machines into Vaults

🔒 TeamPCP's March 2026 compromise of LiteLLM packages on PyPI injected infostealer malware into versions 1.82.7 and 1.82.8 that ran during installs and updates. The malware harvested plaintext SSH keys, cloud credentials (AWS, Azure, GCP), Docker configs, IDE and agent memory files, and other local secrets, exploiting transitive dependencies. PyPI removed the packages within hours, but many downstream packages would have triggered execution. Use ggshield, pre-commit hooks, and filesystem scanning to detect and contain local secrets.
read more →

Anthropic's Claude Code Source Leaked via npm Packaging

🔓Anthropic confirmed that internal source code for its coding assistant Claude Code was inadvertently published after a packaging error when version 2.1.88 was released to npm. The package included a source map exposing nearly 2,000 TypeScript files and over 512,000 lines of code; the release has since been removed. Anthropic says no customer data or credentials were exposed and is implementing measures to prevent recurrence.
read more →

Anthropic Map File Error Exposes Claude Code Source

🔓 An Anthropic employee accidentally published a source map in a public npm package, which allowed the proprietary source for Claude Code to be reconstructed. Anthropic says this was a release packaging error and that no sensitive customer data or credentials were exposed, and that it is rolling out measures to prevent recurrence. Security experts warn that source maps reveal original code, comments, internal constants and prompts, making vulnerabilities and secrets easier to find; the same mistake reportedly occurred previously.
read more →

Anthropic accidentally publishes Claude Code source on NPM

🚨 Anthropic says it accidentally published the closed-source Claude Code source when an NPM release (v2.1.88) included a 60MB cli.js.map file that embedded original sources. The reconstructed tree contains roughly 1,900 files and 500,000 lines of code, and the leak has spread across GitHub and other platforms. Anthropic confirmed no customer data or credentials were exposed, called the incident a packaging error caused by human mistake, and is issuing DMCA takedowns while rolling out measures to prevent recurrence.
read more →