Credentials for thousands of open source projects free for the takingagain! – Ars Technica
Getty Images
A service that helps open source developers write and test software is leaking thousands of authentication tokens and other security-sensitive secrets. Many of these leaks allow hackers to access the private accounts of developers on Github, Docker, AWS, and other code repositories, security experts said in a new report.
The tokens give anyone with access to them the ability to read or modify the code stored in repositories that distribute an untold number of ongoing software applications and code libraries. The ability to gain unauthorized access to such projects opens the possibility of supply chain attacks, in which threat actors tamper with malware before it's distributed to users. The attackers can leverage their ability to tamper with the app to target huge numbers of projects that rely on the app in production servers.
Despite this being a known security concern, the leaks have continued, researchers in the Nautilus team at the Aqua Security firm are reporting. A series of two batches of data the researchers accessed using the Travis CI programming interface yielded 4.28 million and 770 million logs from 2013 through May 2022. After sampling a small percentage of the data, the researchers found what they believe are 73,000 tokens, secrets, and various credentials.
"These access keys and credentials are linked to popular cloud service providers, including GitHub, AWS, and Docker Hub," Aqua Security said. "Attackers can use this sensitive data to initiate massive cyberattacks and to move laterally in the cloud. Anyone who has ever used Travis CI is potentially exposed, so we recommend rotating your keys immediately."
Travis CI is a provider of an increasingly common practice known as continuous integration. Often abbreviated as CI, it automates the process of building and testing each code change that has been committed. For every change, the code is regularly built, tested, and merged into a shared repository. Given the level of access CI needs to work properly, the environments usually store access tokens and other secrets that provide privileged access to sensitive parts inside the cloud account.
The access tokens found by Aqua Security involved private accounts of a wide range of repositories, including Github, AWS, and Docker.
Aqua Security
Examples of access tokens that were exposed include:
The following graph shows the breakdown:
Aqua Security
Aqua Security researchers added:
We found thousands of GitHub OAuth tokens. Its safe to assume that at least 10-20% of them are live. Especially those that were found in recent logs. We simulated in our cloud lab a lateral movement scenario, which is based on this initial access scenario:
1. Extraction of a GitHub OAuth token via exposed Travis CI logs.
2. Discovery of sensitive data (i.e., AWS access keys) in private code repositories using the exposed token.
3. Lateral movement attempts with the AWS access keys in AWS S3 bucket service.
4. Cloud storage object discovery via bucket enumeration.
5. Data exfiltration from the targets S3 to attackers S3.
Aqua Security
Travis CI representatives didn't immediately respond to an email seeking comment for this post. Given the recurring nature of this exposure, developers should proactively rotate access tokens and other credentials periodically. They should also regularly scan their code artifacts to ensure they don't contain credentials. Aqua Security has additional advice in its post.
Go here to see the original:
Credentials for thousands of open source projects free for the takingagain! - Ars Technica
- Why PDFs are so hard to editand the one free app that actually works - How-To Geek - February 11th, 2026 [February 11th, 2026]
- People can't believe this retro cartoon was made in free 3D software - Creative Bloq - February 7th, 2026 [February 7th, 2026]
- Tech stocks go into free fall as it dawns on traders that AI has the ability to cut revenues across the board - Fortune - February 7th, 2026 [February 7th, 2026]
- These Premium Apps Are Now Free But Only for a Limited Time - nextpit.com - February 7th, 2026 [February 7th, 2026]
- Why UK Taxpayers Are Searching for the Best Free Tax Software in 2026 - openPR.com - February 7th, 2026 [February 7th, 2026]
- Aptitude Software Buys Back 23,000 Shares, Cuts Free-Float to 55.3 Million - TipRanks - February 7th, 2026 [February 7th, 2026]
- Dealers will update the batterys software and replace the battery if needed for free. - Facebook - February 4th, 2026 [February 4th, 2026]
- LibreOffice 26.2 Released With Many Refinements To This Open-Source Office Suite - Phoronix - February 4th, 2026 [February 4th, 2026]
- Use Your Library Card to Stream More Than 30,000 Movies for Free With This Streaming Service - CNET - February 4th, 2026 [February 4th, 2026]
- 7 open-source apps I'd happily pay for - because they're that good - ZDNET - February 1st, 2026 [February 1st, 2026]
- Fed up of subscriptions? Here's the free software every digital artist needs - Creative Bloq - January 24th, 2026 [January 24th, 2026]
- The Best Personal Finance and Budgeting Apps We've Tested for 2026 - PCMag - January 24th, 2026 [January 24th, 2026]
- Free download of software-defined automation application for manufacturing autonomy - Electropages - January 24th, 2026 [January 24th, 2026]
- Flexxbotics Releases Software-Defined Automation as Free Download to Accelerate Smart Manufacturing - Metrology and Quality News - January 24th, 2026 [January 24th, 2026]
- Richard Stallman to Speak on Software Freedom and AI at Georgia Tech - It's FOSS - January 24th, 2026 [January 24th, 2026]
- 'The Polar Loop is a capable heart rate tracker, but its activity tracking software stops it from being a Whoop-killer' - TechRadar - January 24th, 2026 [January 24th, 2026]
- Now or Never: These Apps Are Available for Free Right Now - nextpit.com - January 24th, 2026 [January 24th, 2026]
- GNU ddrescue 1.30 "Orders of Magnitude" Better In Recovery From Drives With A Dead Head - Phoronix - January 6th, 2026 [January 6th, 2026]
- Top 10 Free Gaming Tools and Must-Have Software Every PC Gamer Needs in 2026 - Tech Times - January 4th, 2026 [January 4th, 2026]
- Free Laptops with i3 Processor, 8GB RAM, and AI Software to Be Distributed Starting Tomorrow - indiaherald.com - January 4th, 2026 [January 4th, 2026]
- ReactOS Starts 2026 With Another "Major Step" Toward Windows NT6 Compatibility - Phoronix - January 4th, 2026 [January 4th, 2026]
- How to Break Up With Adobe in 2026: The Subscription-Free Creative Suite - Fstoppers - December 31st, 2025 [December 31st, 2025]
- Schleswig-Holstein will save 15 million in 2026 by dropping Microsoft software in favor of free Linux by - ProVideo Coalition - December 31st, 2025 [December 31st, 2025]
- TurboTax Review: Easy to Use For Most Filers in Tax Year 2025 - CNET - December 31st, 2025 [December 31st, 2025]
- Ekennis Software Service Limited Nearing Breakout Level After Bounce - Dividend Yield Trends & Free Tools to Monitor Market Corrections -... - December 31st, 2025 [December 31st, 2025]
- DJI's free software update gives its flagship action camera a massive resolution upgrade and focus peaking - T3 - December 27th, 2025 [December 27th, 2025]
- How Divvy Achieved Explosive Revenue Growth with a Free Software Model - getlatka.com - December 10th, 2025 [December 10th, 2025]
- A teenager redrew the Alabama voting map and its now state law - The Guardian - December 2nd, 2025 [December 2nd, 2025]
- The new Debian Libre Live is all about free software, but I need my proprietary apps - ZDNET - December 2nd, 2025 [December 2nd, 2025]
- Full Bucket Music FB-02, free Synthesizer plugin is a Yamaha FB-01 FM synth emulation and editor - synth anatomy - December 2nd, 2025 [December 2nd, 2025]
- We've tested the best antivirus software to protect your computer and these are the 6 we recommend - Tom's Guide - November 28th, 2025 [November 28th, 2025]
- Chrystalleni Loizidou on meaningful participation in a free/libre technology funding programme - Association for Progressive Communications - November 28th, 2025 [November 28th, 2025]
- Why open source isnt free (and never was) - How-To Geek - November 18th, 2025 [November 18th, 2025]
- Affinity by Canva review: free is the magic number - Creative Bloq - November 18th, 2025 [November 18th, 2025]
- Trump administration ended free tax filing program. Heres where Oregonians can go instead - Oregon Capital Chronicle - November 18th, 2025 [November 18th, 2025]
- A lot of free PC software is risky. Use these alternatives instead - PCWorld - November 5th, 2025 [November 5th, 2025]
- Mega recall in the U.S. is official. - Toyota confirms free ECU software update for cameras not displaying image when reverse gear is engaged - Unin... - November 5th, 2025 [November 5th, 2025]
- Is Affinity's free Photoshop rival too good to be true? - Creative Bloq - November 3rd, 2025 [November 3rd, 2025]
- New features are coming to Pikmin 4! - Nintendo - November 3rd, 2025 [November 3rd, 2025]
- Avoid Purging Thousands of Emails With This Gmail Trick to Free Up Space - CNET - November 3rd, 2025 [November 3rd, 2025]
- 3,000+ YouTube videos deliver malware disguised as free software - Kurt the CyberGuy - October 31st, 2025 [October 31st, 2025]
- Affinity, the new version of the creative software, is now free of charge - PrintIndustry.news - October 31st, 2025 [October 31st, 2025]
- Affinity's creative software is free for everyone now - and I think that could be bad news for Adobe - TechRadar - October 31st, 2025 [October 31st, 2025]
- Affinitys new design platform combines everything into one app - The Verge - October 31st, 2025 [October 31st, 2025]
- Coros watches just got a major upgrade for free but I still want them to bring in this killer Garmin feature - Tom's Guide - October 31st, 2025 [October 31st, 2025]
- Still Using Windows 10? These Free Updates Will Help Keep Your PC Secure - CNET - October 28th, 2025 [October 28th, 2025]
- Whats Really Hiding Behind That Free Tutorial? Unlocking YouTube Ghost Network - The420.in - October 26th, 2025 [October 26th, 2025]
- Article | At least 25 states plan to cut off food aid benefits in November - POLITICO Pro - October 26th, 2025 [October 26th, 2025]
- Benghazi hosts intelligence chiefs and an interesting guest from South Africa - The Africa Report.com - October 26th, 2025 [October 26th, 2025]
- Hundreds of Syrians line up in Tripoli for free repatriation flights to Syria - The Arab Weekly - October 26th, 2025 [October 26th, 2025]
- Gulf of Sirte International Airport Reopens: A New Era for Libyan Tourism - Travel And Tour World - October 26th, 2025 [October 26th, 2025]
- The Attorney General Is A Defendant In A Torture Claim From A Libyan Military Commander That He Drafted - Politics Home - October 26th, 2025 [October 26th, 2025]
- Agreement signed to hold the First Libyan Conference for Laboratories and Radiology - libyaupdate.com - October 26th, 2025 [October 26th, 2025]
- EU reaffirms support for Libyan people in pursuit of peace, national unity - APAnews - Agence de Presse Africaine - October 26th, 2025 [October 26th, 2025]
- Commander-in-Chief Receives Elders and Notables from the Central Region, Affirms: "The Armed Forces Will Guarantee Any Agreement That Unites... - October 26th, 2025 [October 26th, 2025]
- Elforjani: Sirte is a symbol of liberation from terrorism and the General Command's support enhances the path of development - libyaupdate.com - October 26th, 2025 [October 26th, 2025]
- Voices from the sea, part three: how do exiled people experience their moment of rescue? - The Conversation - October 26th, 2025 [October 26th, 2025]
- Free access to Laba7 Shock Dyno Software announced - Automotive Powertrain Technology International - October 24th, 2025 [October 24th, 2025]
- Unleash Your Voice: The Best Free Text-To-Audio Software For 2025 - Harlem World Magazine - October 24th, 2025 [October 24th, 2025]
- How to Scan, Edit and Sign PDF Files on Your Phone or Tablet - The New York Times - October 23rd, 2025 [October 23rd, 2025]
- Unintended Acceleration Is The Last Thing A Supercharged Ford Mustang Needs - Yahoo! Autos - October 21st, 2025 [October 21st, 2025]
- Top Password Recovery Software for 2025: All the Best Services Picked by the Experts - TechRadar - October 19th, 2025 [October 19th, 2025]
- Windows 10 PC can't be upgraded? You have 5 options - and must act now - ZDNET - October 19th, 2025 [October 19th, 2025]
- Free Software Foundation Is Serious About The Librephone Project [To Bring Mobile Freedom To The Masses] - It's FOSS News - October 17th, 2025 [October 17th, 2025]
- FSF Librephone battles the proprietary binary blob - theregister.com - October 17th, 2025 [October 17th, 2025]
- World's first truly free software phone? That's the FSF's new 'long game' - ZDNET - October 17th, 2025 [October 17th, 2025]
- Belarusian authorities bought trace-free tracking software, an investigation finds - - October 17th, 2025 [October 17th, 2025]
- First convictions linked to Post Office Capture software referred for appeal - Free Press Series - October 17th, 2025 [October 17th, 2025]
- 10 open-source Windows apps I can't live without - and they're all free - ZDNET - October 15th, 2025 [October 15th, 2025]
- Borderlands 4: Gearbox Software Reveals Upcoming Content for the Game Including a DLC, a Free Event and More - IGN India - October 15th, 2025 [October 15th, 2025]
- Triple-zero software 'hanging by a thread' - Kyabram Free Press - October 15th, 2025 [October 15th, 2025]
- Free Up More Google Drive Space at No Cost With These Hacks - CNET - October 13th, 2025 [October 13th, 2025]
- 8 free Linux apps that make tricky tasks surprisingly easy - no command line required - ZDNET - October 13th, 2025 [October 13th, 2025]
- Running Out of Space on Your iPhone? Before You Delete Anything Try This - CNET - October 11th, 2025 [October 11th, 2025]
- 4 free video editors that make me question why I ever paid for Adobe software - XDA - October 9th, 2025 [October 9th, 2025]
- A 2TB PCIe 5.0 SSD for less than $140? This Crucial P510 Prime Big Deals Day discount with free Acronis software is exactly why I'm putting it... - October 9th, 2025 [October 9th, 2025]
- At 40 Years, Free Software Foundation Now Wants to 'Free Your Phone' - It's FOSS News - October 9th, 2025 [October 9th, 2025]
- 8 free Linux apps that are surprisingly useful - no command line required - ZDNET - October 4th, 2025 [October 4th, 2025]
- We Finally Have Free Anti-Robocall Tools That Work - The New York Times - October 4th, 2025 [October 4th, 2025]
- Illinois State Bar Association Offering Free Trust Accounting & Billing Software to All Members With Smokeball Bill - Illinois State Bar... - October 2nd, 2025 [October 2nd, 2025]