< ciso
brief />
Tag Banner

All news with #secret exposure tag

76 articles · page 3 of 4

November 2025 security roundup: leaks, ransomware, policing

🔍 In his November roundup, ESET Chief Security Evangelist Tony Anscombe highlights major cybersecurity developments that warrant attention. He draws attention to Wiz's finding that API keys, tokens and other sensitive credentials were exposed in repositories at several leading AI companies, and to a joint advisory revealing the Akira ransomware group's estimated $244 million takings. Tony also flags privacy concerns around X's new location feature, outlines how Australia intends to enforce a proposed under‑16 social media ban, and notes a Europol/Eurojust operation that disrupted malware families including Rhadamanthys.
read more →

OnSolve CodeRED Cyberattack Disrupts U.S. Alert Systems

🚨 Crisis24 confirmed its CodeRED emergency-notification platform was breached, disrupting alerts for state and local governments, police, and fire agencies nationwide. The company decommissioned the legacy environment and is rebuilding from a March 31, 2025 backup, so recent accounts may be missing. Crisis24 says the incident was contained to CodeRED, but names, addresses, emails, phone numbers and passwords were stolen; no public posting has been confirmed.
read more →

Developers Exposed Large Cache of Credentials Online

🔒 Security researchers at watchTowr discovered that two popular code utility sites — JSON Formatter and Code Beautify — inadvertently exposed thousands of developer submissions containing sensitive secrets and credentials. By querying a public API and the sites’ “Recent Links” listings, the team extracted over 80,000 submissions spanning years, including API keys, private keys, database and cloud credentials, JWTs, and PII. The exposure remained until the sites disabled the save feature; watchTowr also confirmed active scraping by third parties and reported limited response from affected organizations.
read more →

Years of JSONFormatter and CodeBeautify Credentials Leak

🔒 New research from watchTowr Labs found over 80,000 files saved to online code-formatting tools, exposing thousands of passwords, API keys, repository tokens and other sensitive credentials across government, telecoms, finance, healthcare and critical infrastructure. The datasets comprise five years of JSONFormatter content and one year of CodeBeautify content (about 5GB), and both services used predictable, shareable URLs and a Recent Links page that made mass crawling trivial. Researchers uploaded decoy AWS keys that were abused within 48 hours, and both sites have temporarily disabled save functionality while implementing enhanced content-prevention measures.
read more →

Code formatters left 80,000+ secrets exposed publicly

🔓 Researchers at external attack surface management firm watchTowr discovered more than 80,000 JSON snippets saved via JSONFormatter and CodeBeautify's unprotected Recent Links feature, exposing credentials, private keys, tokens, and configuration files. The platforms generated predictable, shareable URLs when users saved snippets and stored them without access controls, allowing anyone to scrape content via the services' APIs. Leaked material spans government, finance, healthcare, telecoms, and other sensitive sectors. watchTowr's Canarytoken test showed attackers accessed planted fake AWS keys after links had expired, indicating active scanning.
read more →

Code-formatters leak credentials from major organizations

🔓 Researchers discovered that the code-formatting services JSONFormatter and CodeBeautify exposed more than 80,000 user-saved JSON pastes totaling over 5GB via an unprotected Recent Links feature. The listings and predictable URLs allowed simple crawlers to enumerate and retrieve sensitive data including credentials, API keys, private keys, and PII. The findings show active scraping and confirmed access attempts after uploads expired.
read more →

Opto 22 groov View: API exposes user API keys and metadata

🔒 CISA warns that Opto 22's groov View API exposes API keys and user metadata through a users endpoint that returns keys for all accounts to any principal with an Editor role. The issue affects groov View Server for Windows R1.0a–R4.5d and GRV‑EPIC‑PR1/PR2 firmware prior to 4.0.3. Successful exploitation could disclose credentials, reveal keys, and enable privilege escalation; Opto 22 has released patches and recommends upgrading to Server R4.5e and firmware 4.0.3 alongside network-level mitigations.
read more →

AI startups expose API keys on GitHub, risking models

🔐 New research by cloud security firm Wiz found verified secret leaks in 65% of the Forbes AI 50, with API keys and access tokens exposed on GitHub. Some credentials were tied to vendors such as Hugging Face, Weights & Biases, and LangChain, potentially granting access to private models, training data, and internal details. Nearly half of Wiz’s disclosure attempts failed or received no response. The findings highlight urgent gaps in secret management and DevSecOps practices.
read more →

65% of Top Private AI Firms Exposed Secrets on GitHub

🔒 A Wiz analysis of 50 private companies from the Forbes AI 50 found that 65% had exposed verified secrets such as API keys, tokens and credentials across GitHub and related repositories. Researchers employed a Depth, Perimeter and Coverage approach to examine commit histories, deleted forks, gists and contributors' personal repos, revealing secrets standard scanners often miss. Affected firms are collectively valued at over $400bn.
read more →

Hyundai AutoEver America: SSNs and IDs Exposed in Systems

🔐 Hyundai AutoEver America (HAEA) says hackers breached its IT environment, with the intrusion discovered on March 1, 2025. The investigation found unauthorized access dating back to February 22, 2025, and last observed activity on March 2, 2025. Affected data reportedly includes names and, according to the Massachusetts portal, Social Security numbers and driver's licenses. HAEA engaged external cybersecurity experts and law enforcement; the scope and number of individuals impacted remain unclear.
read more →

Open VSX Rotates Leaked Tokens After Supply-Chain Attack

🔒 Open VSX rotated access tokens after developers accidentally leaked credentials in public repositories, a lapse that allowed attackers to publish malicious VS Code–compatible extensions in a supply‑chain campaign. The Eclipse Foundation says the threat, linked to a campaign dubbed GlassWorm, was contained by Oct 21 after malicious extensions were removed and tokens revoked. The registry plans shorter token lifetimes, faster revocation workflows, automated publication scans, and increased collaboration with other marketplaces to reduce future risk.
read more →

Eclipse Foundation Revokes Leaked Open VSX Tokens Promptly

🔒 The Eclipse Foundation said it revoked a small number of Open VSX access tokens after Wiz reported several VS Code extensions had inadvertently exposed credentials in public repositories. The exposures were attributed to developer error, not an Open VSX infrastructure compromise. Open VSX introduced an ovsxp_ token prefix, removed flagged extensions, reduced default token lifetimes, and plans automated scans to bolster supply‑chain defenses.
read more →

Over 100 VS Code Extensions Leaked Access Tokens Exposed

🔒 Wiz researchers found that publishers of over 100 Visual Studio Code extensions leaked personal access tokens and other secrets that could allow attackers to push malicious extension updates across large install bases. The team validated more than 550 secrets across 500+ extensions spanning 67 types, including AI provider keys, cloud credentials, database and payment secrets. Over 100 extensions exposed Marketplace PATs (≈85,000 installs) and ~30 exposed Open VSX tokens (≈100,000 installs); many flagged packages were themes and hard-coded secrets in .vsix files were often discoverable. Microsoft revoked leaked tokens after disclosure and is adding secret-scanning; users and organizations were advised to limit extensions, vet packages, maintain inventories, and consider centralized allowlists.
read more →

SonicWall: Cloud backup breach exposed all firewall configs

🔒 SonicWall confirmed that unauthorized actors accessed firewall configuration backup files stored in its cloud backup portal, impacting all customers who used the service. The exposed .EXP files contain AES-256-encrypted credentials and other configuration data. Customers should log into MySonicWall to check impacted devices and follow the vendor's Essential Credential Reset checklist, prioritizing internet-facing firewalls.
read more →

GitHub Copilot Chat prompt injection exposed secrets

🔐 GitHub Copilot Chat was tricked into leaking secrets from private repositories through hidden comments in pull requests, researchers found. Legit Security researcher Omer Mayraz reported a combined CSP bypass and remote prompt injection that used image rendering to exfiltrate AWS keys. GitHub mitigated the issue in August by disabling image rendering in Copilot Chat, but the case underscores risks when AI assistants access external tools and repository content.
read more →

OneLogin API Bug Exposed OIDC Client Secrets in 2025

🔒Clutch Security disclosed a high-severity flaw in the One Identity OneLogin IAM platform that could leak OpenID Connect (OIDC) application client_secret values when queried with valid API credentials. The issue, tracked as CVE-2025-59363 with a CVSS score of 7.7, stemmed from the /api/2/apps endpoint returning secrets alongside app metadata. OneLogin remedied the behavior in OneLogin 2025.3.0 after responsible disclosure; administrators should apply the update, rotate exposed API and OIDC credentials, tighten RBAC scopes, and enable network-level protections such as IP allowlisting where available.
read more →

Lean Security Teams Elevate Risk from Hardcoded Secrets

🔒 As organizations shrink and security teams tighten, hardcoded secrets have become a critical, costly blind spot that manual processes can no longer manage. The article cites rising credential-driven breaches, a 292‑day average containment window, and steep financial impacts when secrets are exposed. It contends that precision remediation — contextual ownership, integrated workflows, and automated rotation — is essential to reduce remediation from weeks to hours and to curb analyst overhead. GitGuardian is presented as an example of this targeted remediation approach.
read more →

Companies Affected by the Shai-Hulud NPM Supply Chain

🔎 From Sept 14–16, more than 180 NPM packages were compromised in the Shai-Hulud worm. The malware propagated by pushing malicious changes to other packages and exfiltrated secrets by publishing data to public GitHub repositories. Using the GitHub Events Archive, UpGuard identified 207 affected repos (175 labeled "Shai-Hulud Migration", 33 "Shai-Hulud Repository"), mapping to 37 users and a set of corporate employers. Affected developers have removed leaked files, but organizations should still audit exposed repos and rotate secrets.
read more →

Cursor autorun flaw lets repos execute arbitrary code

🔓 Oasis Security disclosed a flaw in Cursor that allows malicious repositories to execute code when a developer opens a folder. The vulnerability stems from Workspace Trust being disabled by default, permitting crafted .vscode/tasks.json entries set to run on folder open to autorun without prompting. Successful exploitation can expose API keys, cloud credentials and local secrets, risking organization-wide compromise.
read more →

GitHub Actions workflows abused in 'GhostAction' campaign

🔒 GitGuardian disclosed a campaign called "GhostAction" that tampers with GitHub Actions workflows to harvest and exfiltrate secrets to attacker-controlled domains. Attackers modified workflow files to enumerate repository secrets, hard-code them into malicious workflows, and forward credentials such as container registry and cloud provider keys. The researchers say 3,325 secrets from 327 users across 817 repositories were stolen, and they published IoCs while urging maintainers to review workflows, rotate exposed credentials, and tighten Actions controls.
read more →