All news with #secrets scanning tag

🔐Betterleaks is a new open-source secrets scanner developed by Zach Rice and supported by Aikido Security as the successor to Gitleaks. It inspects directories, files, and Git repositories using rule-defined validation with CEL and a token-efficiency approach based on BPE tokenization. Implemented in pure Go to avoid CGO/Hyperscan dependencies, Betterleaks adds automatic decoding of doubly/triply encoded secrets, expanded provider rules, and parallelized Git scanning for faster analysis. The project is MIT-licensed and maintained by a small, cross-industry team.

🔍 Intruder scanned 5 million applications for secrets in built JavaScript bundles and found over 42,000 exposed tokens across 334 secret types. Many were active, high-risk credentials — including 688 repository tokens (GitHub/GitLab) and API keys for project management tools like Linear, some granting full access to private repos and CI/CD secrets. Traditional scanners, SAST, and DAST missed many of these because the secrets were introduced during build and lived only in bundled front-end code. The research highlights the urgent need for SPA spidering and explicit bundle scanning to prevent production leaks.

🔒 A November scan by threat intelligence firm Flare found 10,456 Docker Hub images exposing credentials, including live API tokens for AI models and production systems. The leaks span about 101 organizations — from SMBs to a Fortune 500 company and a major national bank — and often stem from mistakes like committed .env files, hardcoded tokens, and Docker manifests. Flare urges immediate revocation of exposed keys, centralized secrets management, and active SDLC scanning to prevent prolonged abuse.

🔒 Wiz researchers say the second Shai-Hulud NPM malware wave infected hundreds of packages and exposed roughly 400,000 raw secrets across some 30,000 GitHub repositories. Although TruffleHog verified about 10,000 secrets, Wiz found over 60% of leaked NPM tokens still valid as of Dec 1, leaving active credentials at risk. The payload propagated via the preinstall event (node setup_bun.js), affected over 800 package versions, and included a conditional destructive home-directory wipe. A small number of packages — notably @postman/tunnel-agent@0.6.7 and @asyncapi/specs@6.8.3 — represented the bulk of infections, indicating targeted mitigation could have sharply reduced impact.

🚨 Security researchers say a new software supply chain campaign has compromised more than 40 npm packages by injecting a malicious bundle.js into republished releases. The trojan installs a downloader that executes TruffleHog to scan hosts for secrets and cloud credentials, targeting both Windows and Linux developer environments. Vendors warn maintainers to audit environments, rotate tokens, and remove affected versions to prevent ongoing exfiltration.