Credentials for thousands of open source projects free for the takingagain! – Ars Technica
Getty Images
A service that helps open source developers write and test software is leaking thousands of authentication tokens and other security-sensitive secrets. Many of these leaks allow hackers to access the private accounts of developers on Github, Docker, AWS, and other code repositories, security experts said in a new report.
The tokens give anyone with access to them the ability to read or modify the code stored in repositories that distribute an untold number of ongoing software applications and code libraries. The ability to gain unauthorized access to such projects opens the possibility of supply chain attacks, in which threat actors tamper with malware before it's distributed to users. The attackers can leverage their ability to tamper with the app to target huge numbers of projects that rely on the app in production servers.
Despite this being a known security concern, the leaks have continued, researchers in the Nautilus team at the Aqua Security firm are reporting. A series of two batches of data the researchers accessed using the Travis CI programming interface yielded 4.28 million and 770 million logs from 2013 through May 2022. After sampling a small percentage of the data, the researchers found what they believe are 73,000 tokens, secrets, and various credentials.
"These access keys and credentials are linked to popular cloud service providers, including GitHub, AWS, and Docker Hub," Aqua Security said. "Attackers can use this sensitive data to initiate massive cyberattacks and to move laterally in the cloud. Anyone who has ever used Travis CI is potentially exposed, so we recommend rotating your keys immediately."
Travis CI is a provider of an increasingly common practice known as continuous integration. Often abbreviated as CI, it automates the process of building and testing each code change that has been committed. For every change, the code is regularly built, tested, and merged into a shared repository. Given the level of access CI needs to work properly, the environments usually store access tokens and other secrets that provide privileged access to sensitive parts inside the cloud account.
The access tokens found by Aqua Security involved private accounts of a wide range of repositories, including Github, AWS, and Docker.
Aqua Security
Examples of access tokens that were exposed include:
The following graph shows the breakdown:
Aqua Security
Aqua Security researchers added:
We found thousands of GitHub OAuth tokens. Its safe to assume that at least 10-20% of them are live. Especially those that were found in recent logs. We simulated in our cloud lab a lateral movement scenario, which is based on this initial access scenario:
1. Extraction of a GitHub OAuth token via exposed Travis CI logs.
2. Discovery of sensitive data (i.e., AWS access keys) in private code repositories using the exposed token.
3. Lateral movement attempts with the AWS access keys in AWS S3 bucket service.
4. Cloud storage object discovery via bucket enumeration.
5. Data exfiltration from the targets S3 to attackers S3.
Aqua Security
Travis CI representatives didn't immediately respond to an email seeking comment for this post. Given the recurring nature of this exposure, developers should proactively rotate access tokens and other credentials periodically. They should also regularly scan their code artifacts to ensure they don't contain credentials. Aqua Security has additional advice in its post.
Go here to see the original:
Credentials for thousands of open source projects free for the takingagain! - Ars Technica
- Whats Really Hiding Behind That Free Tutorial? Unlocking YouTube Ghost Network - The420.in - October 26th, 2025 [October 26th, 2025]
- Article | At least 25 states plan to cut off food aid benefits in November - POLITICO Pro - October 26th, 2025 [October 26th, 2025]
- Benghazi hosts intelligence chiefs and an interesting guest from South Africa - The Africa Report.com - October 26th, 2025 [October 26th, 2025]
- Hundreds of Syrians line up in Tripoli for free repatriation flights to Syria - The Arab Weekly - October 26th, 2025 [October 26th, 2025]
- Gulf of Sirte International Airport Reopens: A New Era for Libyan Tourism - Travel And Tour World - October 26th, 2025 [October 26th, 2025]
- The Attorney General Is A Defendant In A Torture Claim From A Libyan Military Commander That He Drafted - Politics Home - October 26th, 2025 [October 26th, 2025]
- Agreement signed to hold the First Libyan Conference for Laboratories and Radiology - libyaupdate.com - October 26th, 2025 [October 26th, 2025]
- EU reaffirms support for Libyan people in pursuit of peace, national unity - APAnews - Agence de Presse Africaine - October 26th, 2025 [October 26th, 2025]
- Commander-in-Chief Receives Elders and Notables from the Central Region, Affirms: "The Armed Forces Will Guarantee Any Agreement That Unites... - October 26th, 2025 [October 26th, 2025]
- Elforjani: Sirte is a symbol of liberation from terrorism and the General Command's support enhances the path of development - libyaupdate.com - October 26th, 2025 [October 26th, 2025]
- Voices from the sea, part three: how do exiled people experience their moment of rescue? - The Conversation - October 26th, 2025 [October 26th, 2025]
- Free access to Laba7 Shock Dyno Software announced - Automotive Powertrain Technology International - October 24th, 2025 [October 24th, 2025]
- Unleash Your Voice: The Best Free Text-To-Audio Software For 2025 - Harlem World Magazine - October 24th, 2025 [October 24th, 2025]
- How to Scan, Edit and Sign PDF Files on Your Phone or Tablet - The New York Times - October 23rd, 2025 [October 23rd, 2025]
- Unintended Acceleration Is The Last Thing A Supercharged Ford Mustang Needs - Yahoo! Autos - October 21st, 2025 [October 21st, 2025]
- Top Password Recovery Software for 2025: All the Best Services Picked by the Experts - TechRadar - October 19th, 2025 [October 19th, 2025]
- Windows 10 PC can't be upgraded? You have 5 options - and must act now - ZDNET - October 19th, 2025 [October 19th, 2025]
- Free Software Foundation Is Serious About The Librephone Project [To Bring Mobile Freedom To The Masses] - It's FOSS News - October 17th, 2025 [October 17th, 2025]
- FSF Librephone battles the proprietary binary blob - theregister.com - October 17th, 2025 [October 17th, 2025]
- World's first truly free software phone? That's the FSF's new 'long game' - ZDNET - October 17th, 2025 [October 17th, 2025]
- Belarusian authorities bought trace-free tracking software, an investigation finds - - October 17th, 2025 [October 17th, 2025]
- First convictions linked to Post Office Capture software referred for appeal - Free Press Series - October 17th, 2025 [October 17th, 2025]
- 10 open-source Windows apps I can't live without - and they're all free - ZDNET - October 15th, 2025 [October 15th, 2025]
- Borderlands 4: Gearbox Software Reveals Upcoming Content for the Game Including a DLC, a Free Event and More - IGN India - October 15th, 2025 [October 15th, 2025]
- Triple-zero software 'hanging by a thread' - Kyabram Free Press - October 15th, 2025 [October 15th, 2025]
- Free Up More Google Drive Space at No Cost With These Hacks - CNET - October 13th, 2025 [October 13th, 2025]
- 8 free Linux apps that make tricky tasks surprisingly easy - no command line required - ZDNET - October 13th, 2025 [October 13th, 2025]
- Running Out of Space on Your iPhone? Before You Delete Anything Try This - CNET - October 11th, 2025 [October 11th, 2025]
- 4 free video editors that make me question why I ever paid for Adobe software - XDA - October 9th, 2025 [October 9th, 2025]
- A 2TB PCIe 5.0 SSD for less than $140? This Crucial P510 Prime Big Deals Day discount with free Acronis software is exactly why I'm putting it... - October 9th, 2025 [October 9th, 2025]
- At 40 Years, Free Software Foundation Now Wants to 'Free Your Phone' - It's FOSS News - October 9th, 2025 [October 9th, 2025]
- 8 free Linux apps that are surprisingly useful - no command line required - ZDNET - October 4th, 2025 [October 4th, 2025]
- We Finally Have Free Anti-Robocall Tools That Work - The New York Times - October 4th, 2025 [October 4th, 2025]
- Illinois State Bar Association Offering Free Trust Accounting & Billing Software to All Members With Smokeball Bill - Illinois State Bar... - October 2nd, 2025 [October 2nd, 2025]
- Suffolk tech giant pledges $10m to give charities free software for life - Ipswich.co.uk - October 2nd, 2025 [October 2nd, 2025]
- Eventide Temperance Lite, "the world's first musical reverb plugin": free download for a limited time - synth anatomy - October 2nd, 2025 [October 2nd, 2025]
- Windows 10 extended support is now free, but only in Europe Microsoft capitulates on controversial $30 ESU price tag which remains firmly in place... - September 30th, 2025 [September 30th, 2025]
- You can now install iOS 26 on your iPhone: Everything to know about the free software update - Engadget - September 30th, 2025 [September 30th, 2025]
- Turns out, Microsoft will offer Windows 10 security updates for free until 2026but unfortunately not in the US or the UK - PC Gamer - September 30th, 2025 [September 30th, 2025]
- Free Alternatives to Photoshop and Word: How to Save on Software - 112.ua - September 30th, 2025 [September 30th, 2025]
- Delete those pricey programs with our four tips to help you find the best bargain software solutions - The Sun - September 30th, 2025 [September 30th, 2025]
- BlueCruise is Getting Better for Current Truck Owners - Ford From the Road - September 28th, 2025 [September 28th, 2025]
- Best typing tutor software of 2025 - TechRadar - September 25th, 2025 [September 25th, 2025]
- You can update your iPhone to iOS 26 for free right now - here's which models support it - ZDNET - September 25th, 2025 [September 25th, 2025]
- This is the best photo editing software to use in 2025 - Amateur Photographer - September 25th, 2025 [September 25th, 2025]
- From Abuse to Alignment: Why We Need Sustainable Open Source Infrastructure - Sonatype - September 25th, 2025 [September 25th, 2025]
- Think you've seen the weirdest place to play DOOM? Think again - Creative Bloq - September 23rd, 2025 [September 23rd, 2025]
- OpenSSF to freeloaders: Open source infra isn't free - theregister.com - September 23rd, 2025 [September 23rd, 2025]
- I transformed our LAN gaming setup with a mini PC and free software - XDA - September 21st, 2025 [September 21st, 2025]
- iOS 26 is ready to download: Everything to know about the free iPhone software update - Engadget - September 21st, 2025 [September 21st, 2025]
- Filmmakers - you can now storyboard your next movie totally free with this software - Yahoo! Tech - September 21st, 2025 [September 21st, 2025]
- Oak Creek Police Crime Analyst Wins Top International Award with Innovative Free Software Dashboard - Hoodline - September 21st, 2025 [September 21st, 2025]
- Molecularbytes Atomicreverbfree, a free algorithmic reverb for macOS and Windows - synth anatomy - September 19th, 2025 [September 19th, 2025]
- Meadows Introduces Free Imposition Software for Adobe InDesign - PRWeb - September 19th, 2025 [September 19th, 2025]
- Lucid just gave its EV owners a free dash cam mode and Tesla-style parking monitor all from a software update - TechRadar - September 19th, 2025 [September 19th, 2025]
- My Google Pixel just updated and is better than ever get your free software upgrade now - T3 - September 19th, 2025 [September 19th, 2025]
- NLSIU study hails Keralas KITE as key model for implementing Free and Open Source Software (FOSS) - The Times of India - September 19th, 2025 [September 19th, 2025]
- These are the top free Windows tools that I use on a daily basis to boost my productivity - Tom's Hardware - September 17th, 2025 [September 17th, 2025]
- iOS 26 is finally here: Everything to know about the free iPhone software update - Engadget - September 17th, 2025 [September 17th, 2025]
- When does iOS 26 come out? Date and time you can download the new iPhone operating system around the world - Fast Company - September 17th, 2025 [September 17th, 2025]
- Why Pie Is Becoming the UKs Go-To Free Tax Software in 2025 - The Globe and Mail - September 13th, 2025 [September 13th, 2025]
- iOS 26: What to know about the free iPhone software update ahead of the Apple event today - Engadget - September 11th, 2025 [September 11th, 2025]
- I built a photo editing workflow with nothing but free and open-source tools - xda-developers.com - September 9th, 2025 [September 9th, 2025]
- TapeFi Stop, free vinyl stop simulator plugin for macOS and Windows - synth anatomy - September 9th, 2025 [September 9th, 2025]
- Farming Simulator 25 Releases Third Free Update - Bleeding Cool News - September 6th, 2025 [September 6th, 2025]
- One of the biggest names in video editing is coming to smartphones and it's free. Meet Premiere Pro for mobile - Digital Camera World - September 5th, 2025 [September 5th, 2025]
- Microsoft wants to give US government Copilot for free - theregister.com - September 3rd, 2025 [September 3rd, 2025]
- I Thought My Gmail Inbox Was Toast. Then I Got Back 15GB of Free Storage - CNET - September 3rd, 2025 [September 3rd, 2025]
- The Truth About KMSPico Downloads: Risks and Better Alternatives - inkl - September 3rd, 2025 [September 3rd, 2025]
- Artistapirata Download Free Programs, Games, and Software in 2026 - nerdbot - August 29th, 2025 [August 29th, 2025]
- Cognyte Software Ltd. stock prediction for this week - July 2025 Closing Moves & Free Low Drawdown Momentum Trade Ideas - Newser - August 29th, 2025 [August 29th, 2025]
- Analyzing Upland Software Inc. with multi timeframe charts - Forecast Cut & Free Growth Oriented Trading Recommendations - Newser - August 29th, 2025 [August 29th, 2025]
- Can Upland Software Inc. recover in the next quarter - Options Play & Free Growth Oriented Trading Recommendations - Newser - August 27th, 2025 [August 27th, 2025]
- Custom watchlist performance reports with Asure Software Inc. - Weekly Market Summary & Reliable Breakout Stock Forecasts - Newser - August 27th, 2025 [August 27th, 2025]
- Is Paycom Software Inc. forming a reversal pattern - Trend Reversal & Free Reliable Trade Execution Plans - Newser - August 27th, 2025 [August 27th, 2025]
- What the charts say about CyberArk Software Ltd. today - Weekly Volume Report & Free Reliable Trade Execution Plans - Newser - August 26th, 2025 [August 26th, 2025]
- Is this a good reentry point in Guidewire Software Inc. - 2025 Market Sentiment & Free AI Powered Buy and Sell Recommendations - Newser - August 26th, 2025 [August 26th, 2025]
- Trend analysis for OneStream Software LLC this week - Weekly Trend Summary & Free Expert Approved Momentum Trade Ideas - Newser - August 24th, 2025 [August 24th, 2025]
- Detecting price anomalies in Paycom Software Inc. with AI - July 2025 Volume & Free Community Supported Trade Ideas - Newser - August 24th, 2025 [August 24th, 2025]
- Using AI based signals to follow Unity Software Inc. - July 2025 Breakouts & Free Verified High Yield Trade Plans - Newser - August 24th, 2025 [August 24th, 2025]