I scanned all of GitHub's "oops commits" for leaked secrets

Posted by elza_1111 7/3/2025

I scanned all of GitHub's "oops commits" for leaked secrets(trufflesecurity.com)

203 points | 110 commentspage 2

abhisek 7/3/2025|

The thing that people miss out is Git is really a content addressed storage. This means all commits, even the ones not linked to any refs are still stored and addressable.

p.s: If you run OSS project, please use Github Advanced Security and enable Push Protection against secrets.

exceptione 7/3/2025|

Are you talking about the local branch and the local reflog?

I thought garbage collection should get rid of all dangling stuff. But even without that, I am curious if pushing a branch would push the dangling commits as well.

xyst 7/3/2025||

One of the reasons I keep `.env` and `.env.*` files in global ignore file

stogot 7/4/2025||

Crypto miners have been doing this for 10-12 years at least. I used to speak on this topic regularly. Deleted commits are insufficient, you must rotate your secrets

raesene9 7/3/2025||

An interesting look at one of the consequences of using git and public repo's.

Does leave me wondering how long before someone has a setup which detects and tries to exploit these in real-time, which feels like it could be nasty.

Also a challenge with these posts is they were unlikely to have been able to contact all the affected developers who have got exposed secrets, meaning that any that were uncontactable/non-responsive are likely still vulnerable now, I'd guess that means they're about see what happens if those secrets get abused, as people start exploring this more...

matsemann 7/3/2025||

There are hundred of setups like that already. If you push an AWS key or similar publicly you may have a bitcoin miner or botnet running on your cloud in matter of minutes.

raesene9 7/3/2025|||

The point here being the blog is about looking for oops commits to spot keys that would otherwise not necessarily be picked up automatically...

sunbum 7/3/2025|||

Nope. Because if you push an AWS key then it gets automatically revoked by AWS.

matsemann 7/3/2025|||

AWS was just an example, but it kinda proves my point though, that people are already monitoring this ;)

larntz 7/3/2025|||

I wouldn't rely on anything other than rotating leaked credentials.

hboon 7/3/2025||

There are already people scanning git repos for Bitcoin/Ethereum/crypto keys and exploiting them immediately.

2OEH8eoCRo0 7/3/2025|||

Not just Git either. Push a container to Docker Hub and you'll get instant downloads. Presumably people scanning containers for secrets.

raesene9 7/3/2025|||

There's a lot of secret classes that aren't necessarily automatically scanned for. The Oops commit is a good signal that something shouldn't have been committed, even if automated scanners don't get it.

kristopolous 7/3/2025||

I wonder if you can honeypot this.

NoahZuniga 7/3/2025||

I find it hard to believe that they could have made $25k with this. There are companies that scan all commits on gh for secrets, using similar techniques for finding secrets in files.

Sayrus 7/3/2025||

"70% of secrets leaked in 2022 remain valid today"[1] is a quote that should help understand the situation.

[1] https://blog.gitguardian.com/the-state-of-secrets-sprawl-202...

xarope 7/3/2025|||

this is specifically deleted commits, which even if locally are deleted, are not so on GH, hence why he was able to find deleted .envs etc.

bashwizard 7/3/2025|||

I'm surprised that it's not more. I couple of years ago I spent a few months basically github dorking for leaked api keys and made more than that.

wordofx 7/3/2025||

Congrats on commenting without reading the article.

diogolsq 7/3/2025||

One more reason to activate key rotation.

xlii 7/3/2025||

Probably worth mentioning that force is a ref-related activity not a snapshot related activity. Garbage collection might remove unreferenced commits.

This should be done through history rewrites but as other commenters mention - GitHub has its own rights (and GitHub != git).

I’d recommend looking at simpler alternatives. IMO Jujutsu is mature enough for daily usages, and Fossil is a neat alternative if one wants to drop GitHub completely (albeit not very easy to use).

v3ss0n 7/3/2025||

Daily reminder:

- Once it is on the internet - it is always there so Rotate the key/secrets FIRST.

- Never think secrets are gone because of you have recommited .

- Deleting a commit is not enough , use BFG Cleaner - https://rtyley.github.io/bfg-repo-cleaner/ , and force commit to change history.

Edit- Forget to add most important thing - rotating the key.

weird-eye-issue 7/3/2025||

I think you mean "rotate the keys"

GrandaPanda 7/3/2025|||

Had it correct in the first two points, then contradicted yourself with the last. Rotate your secrets.

v3ss0n 7/3/2025||

Yeah good point. Rotating secrets is a point i forget to add.

hnlmorg 7/3/2025||

The problem here is that GitHub keeps the ref logs even for commits that no longer exist.

I don’t see how BFG helps here

v3ss0n 7/3/2025||

it rewrites the history. Isn't that really enough? You can remove all the keys from the git history. and I agree , i forget the point about rotating the key which i do always in first .

hnlmorg 7/3/2025|||

No it’s not enough. Read the article and it will explain why.

Also, if you’re going to rotate your secrets (which you absolutely should do regardless) then everything else is pointless because it’s now just an invalid credential.

Timwi 7/3/2025|||

It might remove it from your local repo, but not from GitHub, that's the point.

CHUCKEESH 7/4/2025|

[flagged]

More comments...