< ciso
brief />
Tag Banner

All news with #secret exposure tag

76 articles · page 2 of 4

State of Secrets Sprawl 2026: AI-Driven Credential Risk

🔒 GitGuardian's State of Secrets Sprawl 2026 shows leaks accelerated in 2025, uncovering 29 million new hardcoded secrets — a 34% year-over-year increase and the largest single-year jump recorded. The report highlights three core trends: AI-driven credential exposures, unexpectedly widespread internal-repo and collaboration-tool leaks, and persistent remediation failures. It urges a shift from detection to continuous non-human identity governance, secrets vaulting, and automated rotation to reduce attacker access.
read more →

Malicious Rust Crates and AI Bot Steal Developer Secrets

🛡️ Cybersecurity researchers uncovered five malicious Rust crates on crates.io that posed as time utilities while exfiltrating .env files to attacker infrastructure. The packages—chrono_anchor, dnp3times, time_calibrator, time_calibrators, and time-sync—were published in late February and early March 2026 and used a lookalike domain to collect secrets. Affected users should assume possible compromise: rotate keys, audit CI workflows, and limit outbound access from build systems.
read more →

South Korea NTS Publishes Seed Phrase, Loses $4.8M Crypto

🔑 South Korea's National Tax Service (NTS) accidentally included a photograph in a press release that exposed a handwritten cryptocurrency mnemonic seed phrase next to a seized Ledger device. Within hours the wallet holding roughly 4 million PRTG tokens (about US $4.8M) was emptied. The NTS removed the release and issued an apology; the incident underscores that publishing a wallet's seed phrase instantly nullifies any cold-storage security.
read more →

Korean Tax Service Exposes Wallet Seed, $4.8M Stolen

🔓 South Korea’s National Tax Service inadvertently exposed the mnemonic recovery phrase of a seized Ledger hardware wallet in a press release, enabling an attacker to drain approximately $4.8 million in crypto. The assets were confiscated during raids on 124 high-value tax evaders, but photos released by authorities showed a handwritten seed phrase that was not redacted. On-chain analysis shows the attacker deposited ETH for gas and moved 4 million Pre-Retogeum (PRTG) tokens to a new address in three transactions. The NTS removed the press release, and it is unclear whether a formal investigation has been launched.
read more →

Thousands of Google Cloud API Keys Expose Gemini Access

⚠️ Truffle Security found nearly 3,000 Google Cloud API keys (prefix "AIza") embedded in client-side code that can now authenticate to Gemini endpoints when a project enables the Generative Language API. Attackers scraping sites can use exposed keys to access uploaded files, cached contents, and make LLM calls that charge victims' accounts. Google says it has implemented measures to detect and block leaked keys and advises rotating and restricting exposed keys.
read more →

Silent Google API Key Change Exposed Gemini AI Data

🔒 Researchers at Truffle Security discovered that Google Cloud API keys, historically described as simple billing identifiers (prefix Aiza), began functioning as authentication tokens for embedded Gemini AI instances. A Common Crawl scan in November found 2,863 live, publicly exposed keys, including from major firms and Google itself, which could be used to retrieve uploaded files, cached context, or to consume API quota and incur charges. Google confirmed the issue after disclosure, restricted affected keys, and advises administrators to audit and rotate keys.
read more →

Exposed Google API keys can now reveal Gemini AI data

🔓 Google Cloud API keys that were once treated as non-sensitive can now authenticate to the Gemini generative AI assistant, creating a new attack path where keys embedded in client-side JavaScript expose private assistant data. TruffleSecurity discovered nearly 2,800 live, publicly accessible keys across sectors — including financial firms and a Google product — by scanning the November 2025 Common Crawl. Attackers who copy exposed keys can call Gemini endpoints to retrieve data or generate costly API usage; developers should audit projects for the Generative Language API, rotate exposed keys immediately, and use detection tools to prevent abuse.
read more →

Critical Claude Code Flaws Expose RCE and Key Theft

⚠️ Check Point researchers disclosed critical vulnerabilities, CVE-2025-59536 and CVE-2026-21852, in Anthropic’s Claude Code that allow remote code execution and theft of Anthropic API keys via malicious repository-level configuration files. The flaws can be triggered simply by cloning and opening an untrusted project; built-in mechanisms such as Hooks, MCP integrations, and environment variables may be abused to bypass trust controls, execute hidden shell commands, and redirect authenticated API traffic before user consent. Stolen keys can expose shared workspaces, modify or delete resources, and generate unauthorized costs, underscoring a shift in the AI supply chain threat model.
read more →

5 Million Apps Revealed: Secrets Hidden in JavaScript

🔍 Intruder scanned 5 million applications for secrets in built JavaScript bundles and found over 42,000 exposed tokens across 334 secret types. Many were active, high-risk credentials — including 688 repository tokens (GitHub/GitLab) and API keys for project management tools like Linear, some granting full access to private repos and CI/CD secrets. Traditional scanners, SAST, and DAST missed many of these because the secrets were introduced during build and lived only in bundled front-end code. The research highlights the urgent need for SPA spidering and explicit bundle scanning to prevent production leaks.
read more →

Moltbook Misconfiguration Exposes User Data and API

🔓 Security researchers at Wiz discovered a public Supabase API key in Moltbook’s client-side JavaScript that granted unauthenticated read/write access to the production database. The misconfiguration—absence of Row Level Security (RLS) policies—exposed around 1.5 million agent tokens, roughly 30,000 email addresses and thousands of private messages. With write privileges an attacker could impersonate any agent, inject malicious content or prompt-injection payloads, and deface the site. Moltbook’s developer has since remediated the issue after multiple rounds of fixes with Wiz.
read more →

Chainlit flaws enable cloud key leaks and SSRF risks

⚠️ Chainlit, a widely used open-source framework for building conversational AI chatbots, contained high-severity vulnerabilities that can expose arbitrary files and permit server-side request forgery, enabling data theft and lateral movement within compromised environments. Zafran Security identified two primary issues: CVE-2026-22218 (arbitrary file read, CVSS 7.1) and CVE-2026-22219 (SSRF with SQLAlchemy, CVSS 8.3). Both were responsibly disclosed on November 23, 2025 and patched in Chainlit 2.9.4 on December 24, 2025. Administrators should upgrade, audit deployments for misuse, and rotate any potentially exposed credentials.
read more →

Chainlit vulnerabilities expose files and enable SSRF

🔒 Chainlit, a widely used framework for building conversational AI applications, contained two server-side vulnerabilities (CVE-2026-22218 and CVE-2026-22219) that allow authenticated users to read arbitrary files and trigger SSRF in affected deployments. The flaws stem from insufficient validation of user-controlled properties in custom elements and SQLAlchemy-backed storage. Combined, they can expose environment variables, cached prompts, API keys and cloud metadata, enabling lateral movement beyond the app layer. Chainlit released 2.9.4 on 24 December 2025 and users are advised to apply the patch immediately; temporary WAF signatures were published as mitigation.
read more →

Why secrets in JavaScript bundles remain exposed at scale

🔐 Intruder's research scanned roughly 5 million web applications and identified over 42,000 exposed tokens across 334 secret types, revealing widespread leakage in front-end JavaScript bundles. The report shows how traditional path-and-regex scanners, many SAST tools, and some DAST deployments miss secrets introduced during build and deployment, especially in SPAs. High-impact findings included active GitHub/GitLab personal access tokens, project-management API keys, and hundreds of live webhooks; Intruder developed automated SPA secrets detection to close these gaps.
read more →

Ni8mare: Critical RCE and data-exposure bug in n8n instances

⚠️ A maximum-severity vulnerability (CVE-2026-21858, 10/10) lets unauthenticated remote attackers fully compromise self-hosted n8n instances by exploiting a content-type parsing flaw in webhook/form handling. Cyera reports more than 100,000 vulnerable servers. The bug allows attackers to control file metadata in req.body.files, enabling arbitrary file reads, secret exfiltration, session forgery and potential command execution. n8n recommends updating to 1.121.0 and restricting public webhook endpoints.
read more →

Columbia Weather Systems MicroServer Vulnerabilities

⚠️ Columbia Weather Systems’ MicroServer firmware contains multiple vulnerabilities that could let an attacker redirect SSH connections, expose vendor and user secrets stored on an unencrypted SD card, and obtain a limited interactive shell with elevated file privileges. Affected devices run firmware versions prior to MS_4.1_14142. Columbia Weather Systems recommends updating to MS_4.1_14142 or later and contacting support for assistance; CISA advises minimizing network exposure, isolating control networks, and using secure remote access such as up-to-date VPNs. No known targeted public exploitation has been reported; UsrPacific reported these issues to CISA.
read more →

Trust Wallet Chrome Extension Hack Drains $8.5M in Dec

🔒 Trust Wallet disclosed that a second wave of the Shai‑Hulud supply chain attack exposed developer GitHub secrets, including a Chrome Web Store API key, enabling attackers to upload a trojanized extension build directly. The malicious update (v2.68) pushed a backdoor that harvested wallet mnemonic phrases to a domain registered as metrics-trustwallet[.]com, leading to the theft of about $8.5 million from 2,520 addresses. Trust Wallet urged users to update to v2.69, launched a reimbursement claim process, and said it has implemented additional monitoring and controls to strengthen its release procedures.
read more →

Leaked Home Depot GitHub Token Exposed Internal Systems

🔓 A security researcher reported that a Home Depot employee accidentally published a private GitHub access token in early 2024, which granted access to private repositories and cloud infrastructure. When tested, the token allowed write permissions to Home Depot repos and access to order fulfillment and inventory systems. The researcher said multiple disclosure emails went unanswered; the token was removed after TechCrunch contacted the company.
read more →

Exposed GitHub PATs Enable Access to Cloud Secrets

🔒 Recent research from the Wiz Customer Incident Response Team shows attackers are using exposed GitHub Personal Access Tokens (PATs) to retrieve GitHub Action Secrets and pivot into cloud environments. A read-level PAT can leverage GitHub’s API code search to locate secret references like "${{ secrets.SECRET_NAME }}" — and because those search API calls are not logged, discovery is stealthy. Once obtained, cloud provider credentials let attackers spin up resources, exfiltrate data, install malware, or persist while often evading detection. Organizations should treat PATs as privileged credentials: enforce expiration and rotation, remove cloud secrets from workflows, apply least privilege, and improve monitoring and developer training.
read more →

Coupang Exposes 33.7M Accounts Due to Key Mismanagement

🔒 Coupang disclosed an unauthorized exposure affecting approximately 33.7 million user accounts, an incident investigators trace to long‑neglected token signing keys in its authentication infrastructure. Leaked records reportedly included names, email addresses, shipping address lists and some order details; payment and login credentials were not exposed. Authorities and a joint public-private investigation are probing the breach and potential regulatory violations, and a former authentication engineer is the prime suspect.
read more →

Public GitLab Repositories Exposed 17,000+ Secrets

🔒 After scanning all 5.6 million public repositories on GitLab Cloud, a security engineer discovered more than 17,000 exposed secrets across over 2,800 unique domains. Using the open-source tool TruffleHog and an AWS-driven pipeline (SQS queue and Lambda workers), the researcher completed the scan in just over 24 hours at a cost of $770. Notifications were automated with Claude Sonnet 3.7 and scripts; affected parties revoked many credentials and the researcher collected $9,000 in bug bounties, though some secrets remain exposed.
read more →