Thanks to visit codestin.com
Credit goes to appsec.fyi

appsec.fyi

Secrets & Credential Leaks Resources

Post Share

A curated AppSec resource library covering XSS, SQLi, SSRF, IDOR, RCE, XXE, OSINT, and more.

Secrets & Credential Leaks

Secrets management and credential leak prevention address one of the most common and impactful security failures in modern software development. Hardcoded API keys, database passwords, cloud credentials, and private keys regularly appear in source code repositories, CI/CD configurations, container images, client-side JavaScript, and log files. Tools like TruffleHog, GitLeaks, and GitHub Secret Scanning detect exposed credentials in repositories, while vault solutions like HashiCorp Vault, AWS Secrets Manager, and cloud KMS services provide secure runtime secret injection. The impact of leaked credentials can be devastating — exposed AWS keys can lead to full cloud account compromise within minutes, and leaked database credentials can result in complete data breaches. Prevention requires secrets scanning in CI/CD pipelines, pre-commit hooks, environment-based secret injection, and credential rotation policies.

Read the Secrets guideA long-form, source-cited deep dive synthesized from every resource below.
Date Added Link Excerpt
2026-07-04 NEW 2026GitHub Secret Scanning Now Watches All Public Repos for Leaked Enterprise Keys news 9 min readLibrary updates now expand GitHub's secret scanning to all public repositories, addressing the crisis of leaked enterprise keys, particularly those generated by AI coding agents, which surge 81% according to GitGuardian. This feature, Public Monitoring, attributes found credentials back to their originating enterprise using verified domain matching and GitHub's native identity graph, bridging the gap where traditional org-scoped scanners failed to detect leaks from personal accounts or open-source contributions. This retrospective, perimeter-agnostic layer complements existing push protection and AI coding agent scanning, enhancing defenses against credential exposure across platforms like GitHub. → techtimes.com
2026-07-02 NEW 20266 security settings every GitHub maintainer should enable this week beginner 4 min read Bug BountyGuide to six essential GitHub security settings: enable a `SECURITY.md` file and private vulnerability reporting for clear communication, turn on secret scanning with push protection to prevent leaks like those identified by GitGuardian, and leverage Dependabot and dependency review to manage vulnerable packages. Additionally, implement code scanning with CodeQL for static analysis to catch bugs such as SQL injection, and enforce branch protection on your default branch to require pull requests and approvals, significantly hardening your project against common attacks. → github.blog
2026-06-28 2026AI Is the Newest Developer To Misunderstand Secrets In Your Git History intermediate 7 min readLibrary for securing Git repositories, teaching AI coding agents like Cursor, Claude Code, and Codex how to properly handle secrets and avoid leaking them into commit history. It emphasizes rotating credentials first and using tools like `git-filter-repo` for thorough history cleanup. The library integrates with AI assistants through Agent Skills and AI hooks, enabling pre-commit scanning and real-time checks on prompts, commands, and outputs, preventing secrets from entering the repository in the first place. → blog.gitguardian.com
2026-06-27 2026CargoWise WebTracker - The keys were in the cargo intermediate 16 min readLibrary for securing CargoWise WebTracker, a logistics platform. This resource details hardcoded symmetric keys (3DES and AES-256-CBC) used for encrypting query string parameters and authentication tokens. It demonstrates how these keys enable authentication bypass via an "auto-login" feature and session persistence on handler endpoints, potentially allowing unauthorized access to sensitive shipment and booking information.
2026-06-25 2026Compromised GitHub action codfish/semantic-release-action steals CI/CD secrets news 4 min read Supply ChainAnalysis of the compromised `codfish/semantic-release-action` GitHub Action details how an attacker used tag hijacking and a malicious `index.js` payload to steal CI/CD secrets. The injected JavaScript leverages the Miasma credential-stealing toolkit and a dead drop marker string, `thebeautifulsnadsoftime`, to achieve remote code execution on CI runners. Affected tags include `v2`, `v3`, `v4`, and `v5`. → aikido.dev
2026-06-25 2026Hunting Leaked PyPI Tokens: 62 Live, 125 Packages Exposed intermediate 4 min read Python Supply ChainAnalysis of leaked PyPI tokens reveals 62 live tokens, capable of compromising 125 packages with approximately 25,000 monthly downloads. While GitHub's automated scanning should revoke these, many recent leaks suggest potential gaps in coverage. The research utilized the `pypitoken` Python module to decode macaroon tokens and mimicked `twine upload` behavior to verify token validity, highlighting the continued risk of supply chain attacks through exposed credentials. → blog.gitguardian.com
2026-06-24 2026When a vendor's breach becomes yours: lessons from the Klue incident news 2 min read Supply ChainWriteup detailing the Klue incident, where an abandoned, inactive integration credential led to a breach. The attacker leveraged this to harvest OAuth tokens, gaining access to connected customer systems like Salesforce and exfiltrating CRM data. This cascaded impact highlights the risks in SaaS ecosystems, affecting vendors such as Recorded Future, Tanium, Huntress, and Jamf, and serving as a lesson for organizations to review and deactivate unused integration keys. Snyk was also impacted, with limited data exfiltration from Salesforce business contact information and support case titles/descriptions. → snyk.io
2026-06-23 2026Secure non-human identities with Wiz’s newest CIEM dashboard beginner 3 min read AuthZDashboard that visualizes and prioritizes risks associated with non-human cloud identities, including service accounts. It offers visibility into risky entities with high privileges or internet exposure, detects country-specific activity, and integrates with attack path analysis to identify lateral movement and data access vulnerabilities. → wiz.io
2026-06-23 2026Monitor sensitive data [3**-** ***7] that resides in code beginner 3 min readLibrary for monitoring sensitive data like PII, PHII, and PCI within codebases, pull requests, and CI/CD pipelines. Utilizing Wiz's DSPM capabilities, it helps reduce accidental data exposure, prevent compliance violations under GDPR, CCPA, PCI-DSS, and HIPAA, and establish organizational baselines. Developers and security teams can leverage the Wiz CLI or version control scanners to identify and remediate sensitive data during the development process. → wiz.io
2026-06-22 2026Nightfall AI and Snyk unite to deliver AI-powered secrets scanning for developers news 2 min read AILibrary integration providing AI-powered secrets scanning, combining Snyk's developer security platform with Nightfall AI's data protection capabilities. This partnership aims to detect and remediate sensitive data, including API keys and credentials, across the code-to-cloud lifecycle. Nightfall AI's technology automatically identifies over 100 sensitive data types, offering context-aware detection to reduce false positives and enhance developer workflows. The integration also addresses risks associated with AI-generated code, providing tools like Snyk's DeepCode AI for vulnerability scanning. → snyk.io
2026-06-20 20265 Node.js security code snippets every backend developer should know beginner 11 min readLibrary offering Node.js security code snippets covering the Permissions Model for restricting resource access, exemplified by preventing command injection in packages like `pdf-image`, and input validation using Fastify JSON schemas to mitigate SSRF and HTTP parameter pollution. It also touches upon secure password hashing with Bcrypt, and integrating tools like the Snyk VS Code extension to detect vulnerable dependencies. → snyk.io
2026-06-20 2026Threat Brief: Mitigating Large-Scale Credential Attacks beginner 4 min readThreat brief on "FortiBleed," a large-scale credential attack campaign targeting Fortinet, MSSQL, and Sophos devices, involving password spraying, configuration extraction, and offline cracking. The brief details threat actor techniques, recommends auditing remote access logs, and provides hardening guidelines such as requiring MFA, adopting Zero Trust Architecture, changing default credentials, disabling unused accounts, and updating software. Palo Alto Networks customers can leverage product protections and consulting services to defend against these attacks. → unit42.paloaltonetworks.com
2026-06-19 2026The full Snyk AI Security Platform, free for open source maintainers news 3 min read AILibrary offering open source maintainers free access to the Snyk AI Security Platform. This program prioritizes risk-based vulnerability management and automated remediation, including the Snyk Remediation Agent which generates validated, merge-ready fixes for Snyk Open Source and Snyk Code issues, aiming to accelerate the fixing process and combat rapidly shrinking exploit timelines. → snyk.io
2026-06-18 2026CISA Credentials Sensitive Data Exposed in GitHub Repository newsCISA has announced that sensitive data, including credentials, was exposed in a GitHub repository. The agency is investigating the incident, which was discovered on October 26th. CISA states that this data exposure did not impact their operational systems or compromise their mission-critical functions. Further details regarding the scope and specific nature of the exposed data have not yet been released. → securityboulevard.com
2026-06-18 2026Under the Radar: Exploring Spring Boot Actuator Misconfigurations intermediate 10 min read RCELibrary for analyzing Spring Boot Actuator misconfigurations that can expose sensitive data like environment variables and API keys, or even lead to remote code execution (RCE) through vulnerabilities like CVE-2022-22947 in Spring Cloud Gateway. It details common weaknesses such as publicly accessible heap dump files and gateway endpoints, which are prevalent in cloud environments and pose significant risks for initial access and lateral movement. → wiz.io
2026-06-18 2026The many ways to obtain credentials in AWS intermediate 5 min read AuthNLibrary detailing numerous methods for obtaining AWS credentials, including IAM role credentials via the Instance Metadata Service (IMDSv1/v2), AWS SDK credential providers (environment variables, credential files), container credential URIs for ECS/EKS, EKS Pod Identities, IRSA, IoT certificate-based authentication, IAM Roles Anywhere, Cognito's GetCredentialsForIdentity, and Datasync's certificate authentication. → wiz.io
2026-06-18 2026Snyk Code now secures AI builds with support for LLM sources beginner 2 min read AILibrary for securing AI builds, Snyk Code now tracks data flows from LLM sources including OpenAI, HuggingFace, Anthropic, and Google. It performs taint analysis to detect untrusted data originating from LLM libraries, flagging potential vulnerabilities such as prompt injections leading to SQL injection or XSS. Any data returned from a supported LLM library is now treated as a source, ensuring developers are alerted to risks when integrating AI components. → snyk.io
2026-06-18 2026Finding and fixing exposed hardcoded secrets in your GitHub project with Snyk intermediate 4 min readLibrary for scanning Node.js projects for exposed hardcoded secrets and credentials, demonstrated with the Snyk goof project. It utilizes Snyk to identify vulnerabilities and then refactors code to leverage Doppler for centralized secret management, preventing secrets from being pushed to GitHub and enabling environment-specific configurations. The process involves adding secrets to Doppler and updating application code to use environment variables injected via the Doppler CLI. → snyk.io
2026-06-17 2026Wiz Research Uncovers Exposed DeepSeek Database Leaking Sensitive Information, Including Chat History news 4 min readAnalysis of a publicly accessible ClickHouse database linked to DeepSeek, discovered by Wiz Research, reveals extensive exposure of sensitive information including over a million lines of chat history, secret keys, and backend details. This unauthenticated exposure allowed full control over database operations and potential privilege escalation, highlighting the critical risks of rapid AI adoption without corresponding infrastructure security. → wiz.io
2026-06-17 2026GitHub Action tj-actions/changed-files supply chain attack: everything you need to know intermediate 6 min read Supply ChainLibrary for identifying and mitigating the CVE-2025-30066 supply chain attack affecting the tj-actions/changed-files GitHub Action. This attack, potentially linked to reviewdog/action-setup, injected malicious code that leaked secrets from affected repositories into workflow logs. The compromise leveraged a compromised GitHub personal access token for the tj-actions bot. Mitigation involves rotating leaked secrets, removing references to the compromised action, and pinning future dependencies to specific commit hashes. → wiz.io
2026-06-17 2026New GitHub Action supply chain attack: reviewdog/action-setup news 6 min read Supply ChainAnalysis of a GitHub Action supply chain attack targeting reviewdog/action-setup@v1 reveals a potential precursor to the tj-actions/changed-files compromise. This attack injected malicious code into CI workflows, dumping secrets from runner memory. Evidence suggests this impacted Coinbase, though their attempt was unsuccessful. Mitigation involves checking workflow logs for double-encoded base64 strings and rotating any exposed secrets, particularly custom ones. → wiz.io
2026-06-17 2026Want to avoid a data breach? Employ secrets detection beginner 10 min readLibrary for detecting secrets like API keys, passwords, and tokens in application code. It employs sophisticated patterns and regex to identify potentially exposed sensitive data, preventing data breaches. The library integrates with IDEs for real-time feedback and can be incorporated into CI/CD pipelines to fail builds upon secret detection, mitigating risks like unauthorized access, regulatory non-compliance, and loss of competitive advantage. → snyk.io
2026-06-17 2026Multiple JetBrains IDE plugins caught stealing AI keys news 5 min read Supply ChainLibrary detailing a coordinated malware campaign impacting the JetBrains Marketplace. At least 15 IDE plugins, disguised as AI coding assistants, exfiltrate user-provided AI provider API keys (e.g., OpenAI, DeepSeek) to a hardcoded attacker-controlled server at 39.107.60[.]51. These plugins, published under seven vendor accounts and collectively installed nearly 70,000 times, bypass manual review by embedding malicious logic within otherwise functional features. The campaign, active since late 2025, also includes a paid tier where attackers resell stolen API keys. → aikido.dev
2026-06-17 2026Extending Our Mission With Developer Endpoint Protection beginner 5 min readLibrary extending ggshield for developer endpoint protection, it finds credentials on developer machines, including those accumulated in shell histories, config files, and AI agent artifacts. It employs local scanning, honeytokens for live attack detection, and integrates with enterprise deployment workflows, MDM solutions, and SIEM systems to secure the growing attack surface presented by AI coding agents like Cursor and GitHub Copilot. → blog.gitguardian.com
2026-06-16 2026Securing Cloud Databases: Best Practices with ClickHouse and Wiz beginner 13 min readLibrary for securing ClickHouse databases, this resource details best practices and out-of-the-box security controls in light of incidents like the Deepseek AI breach. It highlights the importance of TLS encryption, administrator account authentication, and strict authorization policies, addressing misconfigurations such as publicly exposed instances without restrictions and default users without passwords. The library also covers ClickHouse's built-in features like RBAC and provides guidance to prevent data exposure in cloud environments. → wiz.io
2026-06-16 2026Gitguardian Agent Skills: Secret Detection and Remediation For AI-Assisted Development beginner 9 min read AILibrary of open-source GitGuardian Agent Skills designed to teach AI coding assistants secret detection and remediation workflows. These skills provide agents with playbooks for using the `ggshield` CLI and GitGuardian MCP server, covering tasks like scanning repositories for secrets, creating decoy credentials with honeytokens, auditing local machines, checking for leaked secrets using HasMySecretLeaked, and installing Git hooks to prevent secrets from entering history. The skills translate developer concerns into actionable security steps, ensuring consistent and audited security guidance within AI-assisted development environments. → blog.gitguardian.com
2026-06-15 2026Leaking Secrets in the Age of AI beginner 8 min read AISurvey of AI-related secret leakages in public code repositories, highlighting that AI secrets constitute a disproportional majority of findings. It identifies Python notebook (.ipynb) files as a significant source of exposed secrets due to their mixed content and execution output, and notes pervasive leaks in `mcp.json` and AI agent config files for vendors like OpenAI and Anthropic. The analysis also points out gaps in current secrets scanning industry coverage, particularly with emerging AI vendor secrets. → wiz.io
2026-06-15 2026New Year, New Security Goals: Improve Your AppSec in 2025 beginner 3 min read AILibrary for enhancing application security in 2025, Snyk's auto-fix capabilities automate vulnerability remediation across code, dependencies, containers, and IaC. It emphasizes a balance of AI speed with human expertise, offering actionable insights and seamless integration into development workflows, while also highlighting the importance of securing AI-generated code and AI models against threats like poisoning and adversarial attacks. → snyk.io
2026-06-14 2026A new type of long-lived key on AWS: Bedrock API keys beginner 6 min readReference analyzing long-lived and short-lived AWS Bedrock API keys. It details how long-lived keys are tied to IAM Users, potentially bypassing existing SCPs, and over-privileged by default with the `AmazonBedrockLimitedAccess` policy. Short-lived keys are generated client-side via presigned URLs and a new `bedrock:CallWithBearerToken` API. Both key types use a bearer token in the HTTPS header, unlike the typical sigv4. The entry notes these keys have already appeared in public GitHub repositories and recommends SCPs to deny `bedrock:CallWithBearerToken` to mitigate risks. → wiz.io
2026-06-14 2026Secrets Found. Owners Identified. Issues Fixed. intermediate 4 min readLibrary for detecting, prioritizing, and remediating secrets exposure across the SDLC, combining code scanning, cloud workload analysis, and vault data with blast radius context and AI-powered fixes. It validates findings against providers like GitHub and OpenAI, maps secrets to owners, and offers AI-generated remediation guidance, integrating directly into developer workflows. → wiz.io
2026-06-14 2026From Compromised Keys to Phishing Campaigns: Inside a Cloud Email Service Takeover beginner 7 min read AuthNAnalysis of a May 2025 SES abuse campaign reveals attackers compromising AWS access keys to escape Amazon Simple Email Service's sandbox. This involved multi-regional `PutAccountDetails` requests to gain production mode, followed by verifying attacker-owned and weakly protected legitimate domains. The campaign leveraged these to send phishing emails referencing tax forms, directing victims to credential theft sites masked by a traffic analysis service, highlighting the risks of SES misuse for large-scale phishing and monetizing leaked credentials. → wiz.io
2026-06-14 2026Reconstructing the TJ Actions Changed Files GitHub Actions Compromise news 7 min read Supply ChainAnalysis of the tj-actions/changed-files GitHub Actions compromise details how attackers leveraged orphaned Git commits and re-pointed release tags to inject malicious code. This code, when executed within a GitHub Action workflow, interrogated process memory to extract and exfiltrate encrypted secrets, exposing them in public action logs. The attack vector highlights the risks associated with compromised CI/CD pipelines and the importance of validating the integrity of trusted third-party actions. → snyk.io
2026-06-13 2026Old Passwords Die Hard: Abusing CREDHIST for offline credential recovery intermediate 4 min readTool extending DPAPISnoop to extract CREDHIST entries, enabling offline cracking of historical Windows user passwords. This new functionality integrates with Hashcat's modes 15920 and 15930, allowing attackers to recover older password material from password history chains stored in the CREDHIST file. The technique leverages the chained encryption where newer entries protect older password hashes, facilitating credential recovery and password pattern intelligence.
2026-06-13 2026Dismantling a Critical Supply Chain Risk in VSCode Extension Marketplaces news 7 min read Supply ChainWriteup detailing a critical supply chain risk in VSCode extension marketplaces reveals over 550 validated secrets, including AI provider secrets, high-risk platform credentials for AWS and GitHub, and database secrets, leaked by publishers. Most alarmingly, over a hundred access tokens granting extension update privileges were found, potentially allowing attackers to distribute malware to hundreds of thousands of users across both VSCode and Open VSX marketplaces. The research identified dotfiles, .env files, and hardcoded credentials in source code as common leakage sources, prompting platform-level improvements and a notification campaign for impacted publishers. → wiz.io
2026-06-13 2026Exposure Report: 65% of Leading AI Companies Found with Verified Secret Leaks news 6 min read AIAnalysis of 50 leading AI companies reveals that 65% have verified secret leaks on GitHub, including API keys and sensitive credentials. These exposures were found not only in public repositories but also in deleted forks, gists, and developer accounts, often missed by traditional scanners. Notable leak cases involve companies like ElevenLabs and LangChain, with exposed API keys potentially granting access to organizational structures, training data, or private models. The findings highlight the critical need for robust secret scanning and secure development practices as AI companies scale. → wiz.io
2026-06-12 2026Introducing Posture Issues: Transform Security Findings into Actionable Outcomes beginner 4 min read Bug BountyFramework for managing security debt, Posture Issues consolidate findings within a single domain like vulnerabilities or secrets, transforming unmanaged backlogs into structured remediation projects. This approach facilitates meeting compliance requirements and SLAs, tackling large volumes of non-critical findings, and consolidating remediation efforts for improved security hygiene and long-term resilience, complementing existing Risk Issues for immediate threat mitigation. → wiz.io
2026-06-12 2026Code to Cloud Attacks: From Github PAT to Cloud Control Plane intermediate 7 min read Supply ChainWriteup detailing threat actor techniques for exploiting compromised GitHub Personal Access Tokens (PATs) to gain unauthorized access to cloud environments. This includes discovering secrets within code using GitHub's API, executing malicious code via GitHub Actions, and exfiltrating cloud credentials. Attackers then leverage these credentials for cross-cloud lateral movement and defense evasion by deleting workflow logs. The writeup highlights risks associated with storing CSP credentials in GitHub Actions Secrets and plain-text keys in repositories, referencing supply-chain attacks like tj-actions and Shai-Hulud. → wiz.io
2026-06-12 2026When “Private" Isn't: The Security Risk of GPT Chats Leaking to Search Engines news 3 min read AIAnalysis of ChatGPT chat indexing by Google, Bing, and DuckDuckGo in July 2025, where a discoverability feature for shared links unintentionally exposed sensitive user conversations. This event highlights risks from insecure defaults and UI consent failures in LLM platforms, mirroring past incidents with Google Bard. Mitigation strategies include disabling search engine discoverability by default, improving UI warnings, and organizational adoption of enterprise LLMs and DLP tools. → snyk.io
2026-06-11 2026Snipping the Long Tail of Shai-Hulud 2.0 advanced 6 min readAnalysis of the Shai-Hulud 2.0 worm reveals its persistence through mechanisms like private registries, cached packages, and a lingering OpenVSX IDE extension (asyncapi-preview v1.0.1). This "long tail" of infections impacted over ⅓ of the Fortune 100, with leaked credentials remaining valid, potentially linking to the Trust Wallet $7M exploit due to shared exfiltrated GitHub and Web Store credentials, and similar naming conventions. Wiz Research "snipped the tail" by coordinating a clean OpenVSX extension update. → wiz.io
2026-06-11 2026Hacking Moltbook: The AI Social Network Any Human Can Control intermediate 8 min read AI API SecWriteup of Moltbook's Supabase misconfiguration, detailing how exposed API keys allowed unauthenticated read and write access to millions of API authentication tokens, 35,000 email addresses, and private messages. The vulnerability also revealed an 88:1 agent-to-human ratio and exposed plaintext OpenAI API keys within agent conversations, echoing previous issues like the DeepSeek data leak and Base44 Authentication Bypass. → wiz.io
2026-06-11 2026Wiz + Spotify Backstage: Security at the Developer’s Desk beginner 3 min readPlugin for Spotify Backstage that integrates Wiz Issues and Vulnerabilities, mapping Wiz Projects to Backstage components. Developers can search findings by rule, resource, or CVE, view vulnerability counts and severity, and seamlessly jump into Wiz for deeper investigation and remediation, bringing security context directly to the developer's workflow. → wiz.io
2026-06-11 2026npm Supply Chain Attack via Open Source maintainer compromise news 3 min read Supply ChainWriteup detailing an npm supply chain attack where a maintainer's account was compromised via a phishing email. The attacker injected malicious code into popular npm packages, targeting crypto transactions by intercepting and modifying ETH value transfers and wallet approvals. The attack leveraged social engineering and bypassed security controls, impacting users who installed compromised package versions. Snyk provides tools like SCA and SBOM to detect and monitor affected projects, and a "Featured Zero-Day" report is available for Enterprise users. → snyk.io
2026-06-11 2026Zero-day Extensive NPM Package Compromise - Shai Hulud Supply Chain Attack news 5 min read Supply ChainAnalysis of the Shai-Hulud npm supply chain attack, which compromised hundreds of packages including @ctrl/tinycolor and ngx-bootstrap, detailing malicious `postinstall` scripts designed to exfiltrate cloud credentials and API keys. The attack leveraged GitHub Actions for data exfiltration and persistence, with affected versions like `ngx-bootstrap` 20.0.4-20.0.6 requiring immediate remediation, secret rotation, and system rebuilding. → snyk.io
2026-06-11 2026Compromised Rust crate onering performs code exfiltration news 3 min read Supply ChainAnalysis of a compromised Rust crate, "onering" (version 1.4.1), reveals a `build.rs` script designed for code exfiltration. This script harvests Git data, including the source code of the most recent commit, from the host project and exfiltrates it to a Sentry ingest endpoint disguised as telemetry. The compromise affects both the crates.io package and the maintainer's GitHub repository. → aikido.dev
2026-06-11 2026You Can't Secure What You Can't See: Making Non-Human Identities Governable beginner 4 min read AuthNLibrary for governing non-human identities, GitGuardian NHI Governance provides a centralized, searchable inventory of machine identities across secrets managers, CI/CD, cloud IAM, Kubernetes, and SaaS platforms. It surfaces NHIs with their source, path, environment, risk level, and ownership status, enabling continuous governance by identifying public leaks, internal leaks, cross-environment secrets, reused credentials, long-lived secrets, and overprivileged identities. This context allows teams to understand dependencies before revoking or rotating credentials, shifting from reactive incident response to proactive security. → blog.gitguardian.com
2026-06-10 2026Keeping Secrets Out of Logs beginner 29 min readLibrary of techniques for preventing sensitive data, such as API keys, PII, and passwords, from being logged. This resource details common causes of secrets appearing in logs, including direct logging, "kitchen sink" objects, and configuration changes that expose debug-level information. It emphasizes that preventing secrets in logs requires a multi-layered defense-in-depth approach rather than a single solution.
2026-06-10 2026KICS GitHub Action Compromised: TeamPCP Strikes Again in Supply Chain Attack news 7 min read Supply ChainWriteup detailing the supply chain attack on the KICS GitHub Action by TeamPCP, which involved credential-stealing malware targeting users between March 23rd and 24th UTC. The attack, similar to a previous one on Trivy, compromised 35 tags and leveraged a compromised service account to push malicious commits. The malware exfiltrates secrets via AES-256-CBC encryption, using the same RSA public key as the Trivy incident, and introduces a new Kubernetes-focused persistence mechanism. The report also notes concurrent compromises of OpenVSX extensions, cx-dev-assist and ast-results. → wiz.io
2026-06-10 2026Three’s a Crowd: TeamPCP trojanizes LiteLLM in Continuation of Campaign news 3 min read Python Supply ChainAnalysis of TeamPCP's supply chain attack targeting LiteLLM versions 1.82.7 and 1.82.8, which abuse Python's `.pth` file mechanism for stealthy persistence and exfiltrate cloud credentials, CI/CD secrets, and keys to attacker-controlled domains like `checkmarx[.]zone` and `models[litellm][.]cloud`. This attack follows TeamPCP's prior compromises of Trivy, Checkmarx GitHub Actions, and OpenVSX extensions. → wiz.io
2026-06-10 2026Tracking TeamPCP: Investigating Post-Compromise Attacks Seen in the Wild news 5 min read Supply ChainWriteup detailing post-compromise activities by the TeamPCP threat actor group, following supply chain attacks on Trivy, KICS, and LiteLLM. The analysis reveals TeamPCP's use of stolen cloud credentials and secrets, validated with tools like TruffleHog, to perform internal discovery across AWS services such as IAM, EC2, and ECS. The group leverages GitHub workflows and ECS Exec for code execution and lateral movement, employing Git cloning for data exfiltration from repositories and AWS services. Observed TTPs include unusual enumeration, secret validation, and deletion of workflow logs. → wiz.io
2026-06-09 2026Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware news 5 min read Supply ChainWriteup of the "Mini Shai Hulud" supply chain campaign, detailing how TeamPCP trojanized SAP npm packages. The malware uses obfuscated payloads to harvest developer and CI/CD secrets from GitHub, npm, cloud providers, Kubernetes, and HashiCorp Vault. Exfiltration primarily occurs via attacker-controlled GitHub repositories, using techniques like the GraphQL API and fallback mechanisms for credential discovery. The campaign exhibits a Russian language guardrail, terminating execution if specific locale settings are detected. → wiz.io

Frequently Asked Questions

How do secrets leak into code repositories?
Secrets commonly leak through developer mistakes: hardcoding API keys during development, committing .env files, leaving credentials in test fixtures, pasting tokens into comments, or including secrets in Docker build arguments. Even if removed in later commits, secrets persist in git history unless the repository is rewritten with tools like git-filter-repo or BFG Repo Cleaner.
What tools detect leaked secrets?
TruffleHog and GitLeaks scan git repositories for high-entropy strings and known credential patterns. GitHub Secret Scanning alerts on known token formats from partner services. Pre-commit hooks using detect-secrets or gitleaks can prevent commits containing secrets. For CI/CD, tools like talisman and SpectralOps provide pipeline-level scanning.
What should you do when a secret is leaked?
Immediately rotate the compromised credential — assume it has been captured. Revoke the old key, generate a new one, and update all systems using it. Then remove the secret from git history if it was committed. Review access logs for the compromised credential to assess if it was exploited. Finally, implement prevention measures to stop future leaks.

Weekly AppSec Digest

Get new resources delivered every Monday.