Credentials for thousands of open source projects free for the takingagain! – Ars Technica
Getty Images
A service that helps open source developers write and test software is leaking thousands of authentication tokens and other security-sensitive secrets. Many of these leaks allow hackers to access the private accounts of developers on Github, Docker, AWS, and other code repositories, security experts said in a new report.
The tokens give anyone with access to them the ability to read or modify the code stored in repositories that distribute an untold number of ongoing software applications and code libraries. The ability to gain unauthorized access to such projects opens the possibility of supply chain attacks, in which threat actors tamper with malware before it's distributed to users. The attackers can leverage their ability to tamper with the app to target huge numbers of projects that rely on the app in production servers.
Despite this being a known security concern, the leaks have continued, researchers in the Nautilus team at the Aqua Security firm are reporting. A series of two batches of data the researchers accessed using the Travis CI programming interface yielded 4.28 million and 770 million logs from 2013 through May 2022. After sampling a small percentage of the data, the researchers found what they believe are 73,000 tokens, secrets, and various credentials.
"These access keys and credentials are linked to popular cloud service providers, including GitHub, AWS, and Docker Hub," Aqua Security said. "Attackers can use this sensitive data to initiate massive cyberattacks and to move laterally in the cloud. Anyone who has ever used Travis CI is potentially exposed, so we recommend rotating your keys immediately."
Travis CI is a provider of an increasingly common practice known as continuous integration. Often abbreviated as CI, it automates the process of building and testing each code change that has been committed. For every change, the code is regularly built, tested, and merged into a shared repository. Given the level of access CI needs to work properly, the environments usually store access tokens and other secrets that provide privileged access to sensitive parts inside the cloud account.
The access tokens found by Aqua Security involved private accounts of a wide range of repositories, including Github, AWS, and Docker.
Aqua Security
Examples of access tokens that were exposed include:
The following graph shows the breakdown:
Aqua Security
Aqua Security researchers added:
We found thousands of GitHub OAuth tokens. Its safe to assume that at least 10-20% of them are live. Especially those that were found in recent logs. We simulated in our cloud lab a lateral movement scenario, which is based on this initial access scenario:
1. Extraction of a GitHub OAuth token via exposed Travis CI logs.
2. Discovery of sensitive data (i.e., AWS access keys) in private code repositories using the exposed token.
3. Lateral movement attempts with the AWS access keys in AWS S3 bucket service.
4. Cloud storage object discovery via bucket enumeration.
5. Data exfiltration from the targets S3 to attackers S3.
Aqua Security
Travis CI representatives didn't immediately respond to an email seeking comment for this post. Given the recurring nature of this exposure, developers should proactively rotate access tokens and other credentials periodically. They should also regularly scan their code artifacts to ensure they don't contain credentials. Aqua Security has additional advice in its post.
Go here to see the original:
Credentials for thousands of open source projects free for the takingagain! - Ars Technica
- 15 free photo, design, video editing and productive software that are even better than paid ones - Hindustan Times - July 6th, 2025 [July 6th, 2025]
- CineStills New Film Scan Conversion Software is Fast, Accurate, and Free - PetaPixel - July 4th, 2025 [July 4th, 2025]
- The startup on a mission to free software engineers from batched software testing: Signadot - StartUp Beat - July 4th, 2025 [July 4th, 2025]
- How to get free software from yesteryear's IT crowd trick code into thinking it's running on a rival PC - theregister.com - June 28th, 2025 [June 28th, 2025]
- The best free CRM software of 2025: Expert tested - ZDNet - June 28th, 2025 [June 28th, 2025]
- I started managing my finances with this free accounting software and I'm not going back - XDA - June 28th, 2025 [June 28th, 2025]
- Feds question Ford in hands-free driving investigation - TechCrunch - June 26th, 2025 [June 26th, 2025]
- City of Sterling Heights, Velocity partner to support small businesses - Macomb Daily - June 22nd, 2025 [June 22nd, 2025]
- I've tested and used a lot of CAD software, but this free app is one of the best - Creative Bloq - June 20th, 2025 [June 20th, 2025]
- No, That TikTok Video Won't Help You Get Free Software - Forbes - May 30th, 2025 [May 30th, 2025]
- Lian Lis tube-hiding Hydroshift II LCD-C AIO cooler adds a rotating dial for software-free display and RGB control - Tom's Hardware - May 30th, 2025 [May 30th, 2025]
- I've been using Wixel, the new free design platform from Wix, and it's surprisingly good - Creative Bloq - May 19th, 2025 [May 19th, 2025]
- Best Adobe Photoshop alternative of 2025: Avoid Creative Cloud subscriptions with these top apps - TechRadar - May 17th, 2025 [May 17th, 2025]
- Tether Awards Another $100,000 Grant to BTCPay Server Foundation, Reaffirming Its Commitment to Free and Open Source Software Development - Tether.io - May 11th, 2025 [May 11th, 2025]
- Apple About To Make Unexpected Free Offer To All iPhone 13 Users - Forbes - May 11th, 2025 [May 11th, 2025]
- How to Use the A.I.-Powered Writing Tools on Your Phone - The New York Times - May 11th, 2025 [May 11th, 2025]
- 10 Best 3D Modeling Software That I Reviewed (and Loved) - Learn Hub | G2 - May 11th, 2025 [May 11th, 2025]
- I have tried a lot of different expense tracker software, and I keep coming back to this free, open-source tool - XDA - May 11th, 2025 [May 11th, 2025]
- Fantastic (free) plugins and how to use them: Full Bucket FB-3300 - MusicRadar - April 27th, 2025 [April 27th, 2025]
- The best free software for your gaming PC in 2025: programs you need to know - TechRadar - April 27th, 2025 [April 27th, 2025]
- postmarketOS on developing free and open source software to extend the life of consumer electronics - Association for Progressive Communications - April 27th, 2025 [April 27th, 2025]
- Take it from an expert: This is the best Windows backup software - pcworld.com - April 27th, 2025 [April 27th, 2025]
- WeThinkCode_ Tuition-Free Two years Software Development Programme 2025 for young Africans in South Africa. - Opportunities For Africans - April 27th, 2025 [April 27th, 2025]
- Samsung Galaxy handsets could get a massive free software upgrade as soon as this summer - MSN - April 14th, 2025 [April 14th, 2025]
- A Free Software Program Helped Create This Oscar-Winning Movie And Thats a Big Deal - Collider - April 8th, 2025 [April 8th, 2025]
- Samsung Galaxy handsets could get a massive free software upgrade as soon as this summer - t3.com - April 8th, 2025 [April 8th, 2025]
- More Than 200 Manufacturers Download Free Work Instruction Software - Assembly Magazine - April 8th, 2025 [April 8th, 2025]
- Windows' Photoshop Alternative Is Actually Good Now, and It's Free - Lifehacker - April 8th, 2025 [April 8th, 2025]
- I've tried a lot of different backup software, and I keep coming back to this free, open-source tool - XDA - April 8th, 2025 [April 8th, 2025]
- Home Assistant is the best example of what free and open-source software should be - XDA - April 8th, 2025 [April 8th, 2025]
- Intel Unison, a powerful free app bridging Android phones and PCs, is shutting down - Android Central - April 8th, 2025 [April 8th, 2025]
- TugImgSynth, free image wavetable Synthesizer plugin for macOS and Windows - synth anatomy - April 8th, 2025 [April 8th, 2025]
- Garmin wants you to pay for AI features and enhanced software updates - is it worth it? - ZDNET - April 8th, 2025 [April 8th, 2025]
- Apple announces software update to AirPods Max, and you can get it for free; heres how - Fortune India - March 25th, 2025 [March 25th, 2025]
- Download Free PDF Reader (free) for Windows, macOS and Linux - Gizmodo - March 25th, 2025 [March 25th, 2025]
- 5 best free alternatives to Adobe creative software you should use instead - XDA Developers - March 25th, 2025 [March 25th, 2025]
- Best free Adobe Illustrator alternatives of 2025 - TechRadar - March 25th, 2025 [March 25th, 2025]
- Ocean Swift revives its free Legacy Synthesizer plugins with VST3 support: part 1 bundle - Synth Anatomy - March 25th, 2025 [March 25th, 2025]
- I've found the easiest way to learn Blackmagic's Da Vinci Resolve 19 and it's free - Creative Bloq - March 25th, 2025 [March 25th, 2025]
- Download PDFgear (free) for Windows, macOS, Android, iOS and Web App - Gizmodo - March 25th, 2025 [March 25th, 2025]
- U-he Tyrell N6 3.0, free Synthesizer plugin gets major update with Apple Silicon support, and more - Synth Anatomy - March 25th, 2025 [March 25th, 2025]
- GIMP 3.0 Is Here The Best Free Graphics Editor Just Got Better - 9Meters.com - March 18th, 2025 [March 18th, 2025]
- File Your Tax Return for Free: What to Know About the IRS Free File Program and Its Limitations - CNET - March 18th, 2025 [March 18th, 2025]
- Freeware image editor GIMP 3.0 arrives after seven years of incubation - Tom's Hardware - March 18th, 2025 [March 18th, 2025]
- A Perfect Day - for iOS - Free download and software reviews - Download.com - March 18th, 2025 [March 18th, 2025]
- Oscar winner Gints Zilbalodis: Its really cool that we can make these films with free software - The Irish Times - March 18th, 2025 [March 18th, 2025]
- A government program made tax filing free and more efficient. Musk and DOGE may get rid of it anyway - MyFoxZone.com KIDY - March 18th, 2025 [March 18th, 2025]
- Winner of Best Animated Film at the 2025 Oscars Was Made on Free Software - The Express Tribune - March 18th, 2025 [March 18th, 2025]
- Deep Research could be the next Gemini feature to hit free users, per report - Android Central - March 9th, 2025 [March 9th, 2025]
- As Flow takes home the Oscar using only free software, fans troll"Disneys worst nightmare is indie animators with talent" - Soap Central - March 9th, 2025 [March 9th, 2025]
- The best animation Oscar winner was made in totally free software that anyone can use - Yahoo Entertainment - March 9th, 2025 [March 9th, 2025]
- Best free WinZip alternative of 2025 - TechRadar - March 9th, 2025 [March 9th, 2025]
- YouTube's affordable ad-free Premium Lite plan officially rolls out in the U.S. - Android Central - March 9th, 2025 [March 9th, 2025]
- 303 Day: Get Rolands TB-303 software version absolutely free but youll have to be quick - MusicTech - March 9th, 2025 [March 9th, 2025]
- Everybody needs a 303, and Roland is giving away its software version free for 303 Day but be quick, theres only 3,030 copies up for grabs -... - March 3rd, 2025 [March 3rd, 2025]
- News: Free QNX Everywhere software resources now available - A3 Association for Advancing Automation - March 1st, 2025 [March 1st, 2025]
- How do I file my taxes for free? Federal and Ohio state services to know about this year - The Columbus Dispatch - March 1st, 2025 [March 1st, 2025]
- How to file your taxes for free in 2025 - CNBC - March 1st, 2025 [March 1st, 2025]
- Microsoft quietly tests free, ad-supported version of Office apps for Windows with limited functionality - Windows Central - March 1st, 2025 [March 1st, 2025]
- Empty Out Your Gmail Inbox and Get Back 15GB of Storage - CNET - March 1st, 2025 [March 1st, 2025]
- Google releases free version of AI platform that speeds coding - Business in Vancouver - March 1st, 2025 [March 1st, 2025]
- H&R Block vs. TurboTax vs. Jackson Hewitt: Whats the Difference? - Investopedia - February 25th, 2025 [February 25th, 2025]
- All the Ways You Can File for Free This Year, From TurboTax to FreeTaxUSA - CNET - February 18th, 2025 [February 18th, 2025]
- Best free video editing software of 2025: Top picks for every project and skill-level - TechRadar - February 14th, 2025 [February 14th, 2025]
- 500,000 U.S. Lawyers Now Have Free Access to Trust Software through Bar Partnerships with Smokeball - LawSites - February 14th, 2025 [February 14th, 2025]
- Best Tax Software 2025: TurboTax Leads the Pack, but These Options May Work Better for You - CNET - February 14th, 2025 [February 14th, 2025]
- Photopea Is a Free Photoshop Alternative That Runs in the Browser - WIRED - February 14th, 2025 [February 14th, 2025]
- Freedom Reimagined: Meet the Free Software Foundations 40th Anniversary Logo - It's FOSS News - January 24th, 2025 [January 24th, 2025]
- Free Software Foundation Marking 40 Years Old With A New Logo - Phoronix - January 24th, 2025 [January 24th, 2025]
- Coros smartwatches just got a big free software update here are the best new features - MSN - January 24th, 2025 [January 24th, 2025]
- Best personal finance software of 2025 - TechRadar - January 24th, 2025 [January 24th, 2025]
- Free Mac Email Apps That Stand Out in 2025: A Comprehensive Guide - PUNE.NEWS - January 24th, 2025 [January 24th, 2025]
- Free-software warriors celebrate landmark case that enforced GNU LGPL - The Register - January 13th, 2025 [January 13th, 2025]
- This free software is topping the Steam charts, but its not a game - Notebookcheck.net - January 13th, 2025 [January 13th, 2025]
- IRS offering free tax filing services to millions starting this week - KSWO - January 13th, 2025 [January 13th, 2025]
- The best Android antivirus apps in 2025 - Tom's Guide - January 13th, 2025 [January 13th, 2025]
- GIMP vs Krita: which free software is best for you? - Creative Bloq - January 6th, 2025 [January 6th, 2025]
- Mensla MS-3, free waveshaper Synthesizer plugin for macOS and Windows - Synth Anatomy - January 6th, 2025 [January 6th, 2025]
- Tesla fixes TPMS issue on nearly 700,000 vehicles with free software update - Drive Tesla Canada - December 25th, 2024 [December 25th, 2024]
- STRACKALINE TO OFFER EXCLUSIVE FREE SOFTWARE ACCESS AT THE 2025 PGA SHOW (BOOTH 2808) - The Golf Wire - December 18th, 2024 [December 18th, 2024]