All news with #secrets scanning tag

🛡️ Researchers uncovered the TrapDoor campaign, a cross-registry malicious package operation affecting npm, PyPI, and Crates.io that targets developer workflows and AI coding assistant files. The packages exfiltrated secrets such as AWS credentials, GitHub tokens, SSH keys, browser data, and local dev configs by abusing normal execution points like postinstall scripts, import-time execution, and Rust build scripts. Analysts warn this workflow-focused approach enables persistence and lateral movement into CI/CD and cloud infrastructure, recommending stronger install-time scanning, least-privilege credentials, endpoint hardening, and AI tooling governance.

🔍 CVE Lite CLI is an OWASP-backed, open-source scanner for JavaScript and TypeScript lockfiles that emphasizes local, early feedback for dependency vulnerabilities. The tool inspects npm, pnpm, and Yarn lockfiles using OSV data, distinguishes direct vs transitive issues, and recommends practical upgrade paths. It is designed as a lightweight developer tool complementing, not replacing, enterprise SCA platforms and intentionally keeps core vulnerability analysis deterministic while offering AI as an explanatory layer.

🐛Researchers from Socket have identified malicious npm packages that execute during installation to harvest credentials and developer artifacts, then attempt worm-like propagation across ecosystems. The payload targets cloud and CI/CD tokens, SSH keys, .npmrc files, browser profiles and crypto wallets, exfiltrating data via HTTPS webhooks and ICP endpoints. It attempts to republish compromised packages using stolen npm tokens and can also generate PyPI payloads via .pth injection. The campaign leverages blockchain-hosted canisters for C2 and remains under active investigation.

🔒 JFrog and Socket report that the Bitwarden CLI package @bitwarden/cli@2026.4.0 was briefly published with malicious code in a file named bw1.js, following a compromised GitHub Action in Bitwarden’s CI/CD pipeline. The rogue release was designed to harvest GitHub/npm tokens, .ssh keys, .env files, shell history and other secrets, then exfiltrate them to private domains and via GitHub commits. Bitwarden confirmed the incident, stated there is no evidence that end-user vault data or production systems were accessed, and said the malicious npm release was deprecated, compromised access revoked, remediation steps initiated, and a CVE is being issued.

🔐Betterleaks is a new open-source secrets scanner developed by Zach Rice and supported by Aikido Security as the successor to Gitleaks. It inspects directories, files, and Git repositories using rule-defined validation with CEL and a token-efficiency approach based on BPE tokenization. Implemented in pure Go to avoid CGO/Hyperscan dependencies, Betterleaks adds automatic decoding of doubly/triply encoded secrets, expanded provider rules, and parallelized Git scanning for faster analysis. The project is MIT-licensed and maintained by a small, cross-industry team.

🔍 Intruder scanned 5 million applications for secrets in built JavaScript bundles and found over 42,000 exposed tokens across 334 secret types. Many were active, high-risk credentials — including 688 repository tokens (GitHub/GitLab) and API keys for project management tools like Linear, some granting full access to private repos and CI/CD secrets. Traditional scanners, SAST, and DAST missed many of these because the secrets were introduced during build and lived only in bundled front-end code. The research highlights the urgent need for SPA spidering and explicit bundle scanning to prevent production leaks.

🔒 A November scan by threat intelligence firm Flare found 10,456 Docker Hub images exposing credentials, including live API tokens for AI models and production systems. The leaks span about 101 organizations — from SMBs to a Fortune 500 company and a major national bank — and often stem from mistakes like committed .env files, hardcoded tokens, and Docker manifests. Flare urges immediate revocation of exposed keys, centralized secrets management, and active SDLC scanning to prevent prolonged abuse.

🔒 Wiz researchers say the second Shai-Hulud NPM malware wave infected hundreds of packages and exposed roughly 400,000 raw secrets across some 30,000 GitHub repositories. Although TruffleHog verified about 10,000 secrets, Wiz found over 60% of leaked NPM tokens still valid as of Dec 1, leaving active credentials at risk. The payload propagated via the preinstall event (node setup_bun.js), affected over 800 package versions, and included a conditional destructive home-directory wipe. A small number of packages — notably @postman/tunnel-agent@0.6.7 and @asyncapi/specs@6.8.3 — represented the bulk of infections, indicating targeted mitigation could have sharply reduced impact.

🚨 Security researchers say a new software supply chain campaign has compromised more than 40 npm packages by injecting a malicious bundle.js into republished releases. The trojan installs a downloader that executes TruffleHog to scan hosts for secrets and cloud credentials, targeting both Windows and Linux developer environments. Vendors warn maintainers to audit environments, rotate tokens, and remove affected versions to prevent ongoing exfiltration.