Credentials for thousands of open source projects free for the takingagain! – Ars Technica
Getty Images
A service that helps open source developers write and test software is leaking thousands of authentication tokens and other security-sensitive secrets. Many of these leaks allow hackers to access the private accounts of developers on Github, Docker, AWS, and other code repositories, security experts said in a new report.
The tokens give anyone with access to them the ability to read or modify the code stored in repositories that distribute an untold number of ongoing software applications and code libraries. The ability to gain unauthorized access to such projects opens the possibility of supply chain attacks, in which threat actors tamper with malware before it's distributed to users. The attackers can leverage their ability to tamper with the app to target huge numbers of projects that rely on the app in production servers.
Despite this being a known security concern, the leaks have continued, researchers in the Nautilus team at the Aqua Security firm are reporting. A series of two batches of data the researchers accessed using the Travis CI programming interface yielded 4.28 million and 770 million logs from 2013 through May 2022. After sampling a small percentage of the data, the researchers found what they believe are 73,000 tokens, secrets, and various credentials.
"These access keys and credentials are linked to popular cloud service providers, including GitHub, AWS, and Docker Hub," Aqua Security said. "Attackers can use this sensitive data to initiate massive cyberattacks and to move laterally in the cloud. Anyone who has ever used Travis CI is potentially exposed, so we recommend rotating your keys immediately."
Travis CI is a provider of an increasingly common practice known as continuous integration. Often abbreviated as CI, it automates the process of building and testing each code change that has been committed. For every change, the code is regularly built, tested, and merged into a shared repository. Given the level of access CI needs to work properly, the environments usually store access tokens and other secrets that provide privileged access to sensitive parts inside the cloud account.
The access tokens found by Aqua Security involved private accounts of a wide range of repositories, including Github, AWS, and Docker.
Aqua Security
Examples of access tokens that were exposed include:
The following graph shows the breakdown:
Aqua Security
Aqua Security researchers added:
We found thousands of GitHub OAuth tokens. Its safe to assume that at least 10-20% of them are live. Especially those that were found in recent logs. We simulated in our cloud lab a lateral movement scenario, which is based on this initial access scenario:
1. Extraction of a GitHub OAuth token via exposed Travis CI logs.
2. Discovery of sensitive data (i.e., AWS access keys) in private code repositories using the exposed token.
3. Lateral movement attempts with the AWS access keys in AWS S3 bucket service.
4. Cloud storage object discovery via bucket enumeration.
5. Data exfiltration from the targets S3 to attackers S3.
Aqua Security
Travis CI representatives didn't immediately respond to an email seeking comment for this post. Given the recurring nature of this exposure, developers should proactively rotate access tokens and other credentials periodically. They should also regularly scan their code artifacts to ensure they don't contain credentials. Aqua Security has additional advice in its post.
Go here to see the original:
Credentials for thousands of open source projects free for the takingagain! - Ars Technica
- Top 7 Free Accounting Software for Clubs and Associations - Small Business Trends - April 10th, 2026 [April 10th, 2026]
- [un]prompted 2026 Code Is Free: Securing Software In The Agentic Future - Security Boulevard - April 7th, 2026 [April 7th, 2026]
- Best antivirus for Windows 11: Guide to choosing the right software - Acronis - April 7th, 2026 [April 7th, 2026]
- Work faster in Krita with these pro tips master the best free Photoshop alt - Creative Bloq - April 7th, 2026 [April 7th, 2026]
- JWM Guard Tour Patrol System - Battery Powered RFID Reader With LCD, Free Software For Security Monitoring - ruhrkanal.news - April 7th, 2026 [April 7th, 2026]
- Download the Free Guide: The 2026 Buyer's Guide to Hotel Management Software Released By Roommaster - Hotel News Resource - April 5th, 2026 [April 5th, 2026]
- Acer's Chromebook Plus Easter offer comes with free software worth more than the laptop itself, including GeForce Now - PC Guide - April 3rd, 2026 [April 3rd, 2026]
- Inside the German state trying to break free from Microsoft - Financial Times - April 3rd, 2026 [April 3rd, 2026]
- The Document Foundation Calls on Europe to Break Free from Proprietary Software - Linuxiac - April 3rd, 2026 [April 3rd, 2026]
- Fret Not, Some of These Apps are Free This Week! - nextpit.com - April 3rd, 2026 [April 3rd, 2026]
- Garmin smartwatch users may be green with envy over Coros latest free update - t3.com - April 3rd, 2026 [April 3rd, 2026]
- Get Your Free Apps of the Week Here! - nextpit.com - March 26th, 2026 [March 26th, 2026]
- Zeptive Software Update Boosts Vape Detection Performance - GlobeNewswire - March 22nd, 2026 [March 22nd, 2026]
- PRToolFinder Adds New Filters to Discover Free PR Tools and Free Software Trials Across its PR Tools Directory - Yahoo Finance - March 22nd, 2026 [March 22nd, 2026]
- Temecula DSP MDV-II: a free emulation of the Alesis MidiVerb II multi-FX processor - synth anatomy - March 22nd, 2026 [March 22nd, 2026]
- Garmins top smartwatches are getting a massive free software update here are the 2 best new features - MSN - March 22nd, 2026 [March 22nd, 2026]
- Sojus Records Ensoniq SD-1: an open-source emulation of the 1990 TransewaveTM synth - synth anatomy - March 22nd, 2026 [March 22nd, 2026]
- Chardet dispute shows how AI will kill software licensing, argues Bruce Perens - theregister.com - March 11th, 2026 [March 11th, 2026]
- Free income tax help and software are available in SC. Here's where and how. - Post and Courier - March 9th, 2026 [March 9th, 2026]
- 70% of taxpayers in the US can file taxes for free. Here's how - USA Today - March 9th, 2026 [March 9th, 2026]
- The complete guide to choosing the best free video editing software for high-quality content creation - AZ Big Media - March 9th, 2026 [March 9th, 2026]
- You can now use Elgato's mic and output mixing software with any device for free and I'm totally sold on it - PC Gamer - March 7th, 2026 [March 7th, 2026]
- Eligible N.Y. taxpayers can file their 2026 taxes for free: How to avoid hidden fees - SILive.com - March 7th, 2026 [March 7th, 2026]
- Volvo Puts Its Money Where Its Mouth Is, Sends UX-Upgrading Over-The-Air Software Update To 2.5 Million Cars - Jalopnik - March 7th, 2026 [March 7th, 2026]
- Best Pokies Software 2026 Real phoenix reborn slot free spins money Apps To have Pokies - Cutival Piura - March 7th, 2026 [March 7th, 2026]
- "Our vision for what creator audio should be" - Elgato launches Wave Next, a new generation of powerful audio hardware with software that's... - March 4th, 2026 [March 4th, 2026]
- Stop Paying for Tax Software Surprises: Know When to Use Paid or Free Versions - CNET - March 4th, 2026 [March 4th, 2026]
- Comparing Free Word Processing Software: Features and Compatibility - Techloy - March 4th, 2026 [March 4th, 2026]
- Winnipeg-based information technology consulting firm IDFusion Software Inc. celebrates 25 years of growth - Winnipeg Free Press - March 4th, 2026 [March 4th, 2026]
- The I.R.S. Shut Its Direct File, but Here Are Other Free Filing Options - The New York Times - February 27th, 2026 [February 27th, 2026]
- Tiagolr Rippler: free MPE physical modeling Synthesizer is the big brother of Ripplerx - synth anatomy - February 27th, 2026 [February 27th, 2026]
- Looking for Free Paid Apps on Your Phone? Check Out This Weeks Selection! - nextpit.com - February 26th, 2026 [February 26th, 2026]
- SpendHound Partners With Rooled to Give High-Growth Startups Free Visibility Into Software Spend - 01net - February 24th, 2026 [February 24th, 2026]
- Why PDFs are so hard to editand the one free app that actually works - How-To Geek - February 11th, 2026 [February 11th, 2026]
- People can't believe this retro cartoon was made in free 3D software - Creative Bloq - February 7th, 2026 [February 7th, 2026]
- Tech stocks go into free fall as it dawns on traders that AI has the ability to cut revenues across the board - Fortune - February 7th, 2026 [February 7th, 2026]
- These Premium Apps Are Now Free But Only for a Limited Time - nextpit.com - February 7th, 2026 [February 7th, 2026]
- Why UK Taxpayers Are Searching for the Best Free Tax Software in 2026 - openPR.com - February 7th, 2026 [February 7th, 2026]
- Aptitude Software Buys Back 23,000 Shares, Cuts Free-Float to 55.3 Million - TipRanks - February 7th, 2026 [February 7th, 2026]
- Dealers will update the batterys software and replace the battery if needed for free. - Facebook - February 4th, 2026 [February 4th, 2026]
- LibreOffice 26.2 Released With Many Refinements To This Open-Source Office Suite - Phoronix - February 4th, 2026 [February 4th, 2026]
- Use Your Library Card to Stream More Than 30,000 Movies for Free With This Streaming Service - CNET - February 4th, 2026 [February 4th, 2026]
- 7 open-source apps I'd happily pay for - because they're that good - ZDNET - February 1st, 2026 [February 1st, 2026]
- Fed up of subscriptions? Here's the free software every digital artist needs - Creative Bloq - January 24th, 2026 [January 24th, 2026]
- The Best Personal Finance and Budgeting Apps We've Tested for 2026 - PCMag - January 24th, 2026 [January 24th, 2026]
- Free download of software-defined automation application for manufacturing autonomy - Electropages - January 24th, 2026 [January 24th, 2026]
- Flexxbotics Releases Software-Defined Automation as Free Download to Accelerate Smart Manufacturing - Metrology and Quality News - January 24th, 2026 [January 24th, 2026]
- Richard Stallman to Speak on Software Freedom and AI at Georgia Tech - It's FOSS - January 24th, 2026 [January 24th, 2026]
- 'The Polar Loop is a capable heart rate tracker, but its activity tracking software stops it from being a Whoop-killer' - TechRadar - January 24th, 2026 [January 24th, 2026]
- Now or Never: These Apps Are Available for Free Right Now - nextpit.com - January 24th, 2026 [January 24th, 2026]
- GNU ddrescue 1.30 "Orders of Magnitude" Better In Recovery From Drives With A Dead Head - Phoronix - January 6th, 2026 [January 6th, 2026]
- Top 10 Free Gaming Tools and Must-Have Software Every PC Gamer Needs in 2026 - Tech Times - January 4th, 2026 [January 4th, 2026]
- Free Laptops with i3 Processor, 8GB RAM, and AI Software to Be Distributed Starting Tomorrow - indiaherald.com - January 4th, 2026 [January 4th, 2026]
- ReactOS Starts 2026 With Another "Major Step" Toward Windows NT6 Compatibility - Phoronix - January 4th, 2026 [January 4th, 2026]
- How to Break Up With Adobe in 2026: The Subscription-Free Creative Suite - Fstoppers - December 31st, 2025 [December 31st, 2025]
- Schleswig-Holstein will save 15 million in 2026 by dropping Microsoft software in favor of free Linux by - ProVideo Coalition - December 31st, 2025 [December 31st, 2025]
- TurboTax Review: Easy to Use For Most Filers in Tax Year 2025 - CNET - December 31st, 2025 [December 31st, 2025]
- Ekennis Software Service Limited Nearing Breakout Level After Bounce - Dividend Yield Trends & Free Tools to Monitor Market Corrections -... - December 31st, 2025 [December 31st, 2025]
- DJI's free software update gives its flagship action camera a massive resolution upgrade and focus peaking - T3 - December 27th, 2025 [December 27th, 2025]
- How Divvy Achieved Explosive Revenue Growth with a Free Software Model - getlatka.com - December 10th, 2025 [December 10th, 2025]
- A teenager redrew the Alabama voting map and its now state law - The Guardian - December 2nd, 2025 [December 2nd, 2025]
- The new Debian Libre Live is all about free software, but I need my proprietary apps - ZDNET - December 2nd, 2025 [December 2nd, 2025]
- Full Bucket Music FB-02, free Synthesizer plugin is a Yamaha FB-01 FM synth emulation and editor - synth anatomy - December 2nd, 2025 [December 2nd, 2025]
- We've tested the best antivirus software to protect your computer and these are the 6 we recommend - Tom's Guide - November 28th, 2025 [November 28th, 2025]
- Chrystalleni Loizidou on meaningful participation in a free/libre technology funding programme - Association for Progressive Communications - November 28th, 2025 [November 28th, 2025]
- Why open source isnt free (and never was) - How-To Geek - November 18th, 2025 [November 18th, 2025]
- Affinity by Canva review: free is the magic number - Creative Bloq - November 18th, 2025 [November 18th, 2025]
- Trump administration ended free tax filing program. Heres where Oregonians can go instead - Oregon Capital Chronicle - November 18th, 2025 [November 18th, 2025]
- A lot of free PC software is risky. Use these alternatives instead - PCWorld - November 5th, 2025 [November 5th, 2025]
- Mega recall in the U.S. is official. - Toyota confirms free ECU software update for cameras not displaying image when reverse gear is engaged - Unin... - November 5th, 2025 [November 5th, 2025]
- Is Affinity's free Photoshop rival too good to be true? - Creative Bloq - November 3rd, 2025 [November 3rd, 2025]
- New features are coming to Pikmin 4! - Nintendo - November 3rd, 2025 [November 3rd, 2025]
- Avoid Purging Thousands of Emails With This Gmail Trick to Free Up Space - CNET - November 3rd, 2025 [November 3rd, 2025]
- 3,000+ YouTube videos deliver malware disguised as free software - Kurt the CyberGuy - October 31st, 2025 [October 31st, 2025]
- Affinity, the new version of the creative software, is now free of charge - PrintIndustry.news - October 31st, 2025 [October 31st, 2025]
- Affinity's creative software is free for everyone now - and I think that could be bad news for Adobe - TechRadar - October 31st, 2025 [October 31st, 2025]
- Affinitys new design platform combines everything into one app - The Verge - October 31st, 2025 [October 31st, 2025]
- Coros watches just got a major upgrade for free but I still want them to bring in this killer Garmin feature - Tom's Guide - October 31st, 2025 [October 31st, 2025]
- Still Using Windows 10? These Free Updates Will Help Keep Your PC Secure - CNET - October 28th, 2025 [October 28th, 2025]
- Whats Really Hiding Behind That Free Tutorial? Unlocking YouTube Ghost Network - The420.in - October 26th, 2025 [October 26th, 2025]