Exposed API Keys on GitHub: A Vibe Coding Risk

Anthropic has acknowledged that thousands of GitHub repositories were unintentionally taken down after a copyright-based effort to remove leaked Claude Code source code. Head of Claude Code Boris Cherny indicated the scope expanded due to repository network structures, impacting around 8,100 repos before most were restored as the company works to contain the exposure. https://lnkd.in/eySY3SZN #AI #ArtificialIntelligence #Developers #GitHub #Cybersecurity #Tech GitHub

Anthropic accidentally leaked Claude Code's source code via a packaging error — exposing ~512,000 lines across 1,900 files. Then, while trying to clean it up, their DMCA takedown swept up ~8,100 GitHub repos — including legitimate forks of their own public repository. The company has since retracted the bulk of the notices and GitHub restored access, but the damage to developer trust is done. Key takeaways: → Release management matters as much as the product itself → Overbroad legal action can backfire fast → Transparency and quick correction helped limit the fallout This is Anthropic's third code/data leak in under a year — right as they reportedly prepare for an IPO. 📰 Source: TechCrunch, The New Stack #TechNews #Anthropic #ClaudeCode #GitHub #AI #CyberSecurity #DeshTek

A trending GitHub repo. (~100K star) A private key is sitting openly in the code. Nobody noticed. 😶 We scanned it with Relia today. 41 issues. 6 critical. The ones that shocked us most - 🔴 Private key exposed in source code 🔴 Anyone could read any file on the server (path traversal) 🔴 Hardcoded passwords in 10+ files 🔴 Access control is completely bypassable 🔴 A bug that crashes the entire pricing system silently This is not a hobby project. This is something people are actively forking and deploying. Right now. In production. The scariest part? The developer probably has no idea. You write the code. You ship it. You move on. Nobody tells you what's broken until it's too late. That's the gap Relia fills. Paste your repo. Get your full report in minutes. Know before someone else finds it for you. 👇 Full report of this scan in the first comment. See every issue we found - open, detailed, free to read. #GitHub #OpenSource #CodeSecurity #Relia #BuildInPublic #DevTools #CyberSecurity #IndieHackers #Ai #HermesAgent #PublicRepo #Vibecon #Vibecoding

A trending GitHub repo. (~100K star) A private key is sitting openly in the code. Here's the full Relia scan report📄 https://lnkd.in/d4zKQZYE

A GitHub branch name was enough to steal the very token Codex used to authenticate with GitHub. On March 30, 2026, BeyondTrust Phantom Labs detailed a critical command-injection flaw in OpenAI Codex. By crafting a malicious branch name, an attacker could inject arbitrary shell commands. This didn't just affect one interface—it compromised the web app, CLI, SDK, and the IDE extension. The vulnerability turned the agent's own credentials into a liability, allowing for automated token theft across repositories. The timeline from disclosure to hardening shows the complexity of securing coding agents: → December 2025: Initial hotfix deployed. → January 2026: Iterative shell-escape hardening and restricted token access. Lessons from this breach: 🔹 Input sanitization is non-negotiable for AI agents, especially when they act as an interface between users and external platforms. 🔹 Treat your agent's credentials as high-privilege assets. If it has access to GitHub, your agent has your keys. 🔹 Hardening isn't a single patch; it requires architectural changes to limit what a compromised agent can actually touch. How do you handle credential isolation for the AI tools integrated into your dev workflow? #CyberSecurity #OpenAICodex #DevSecOps #SupplyChainSecurity #BuildInPublic

Vercel got hacked. And honestly, the data isn’t the scary part. It’s the reminder of how fragile our stack really is. One OAuth click. One token. That’s enough to move across tools, repos, pipelines. We don’t just write code anymore. We trust entire ecosystems. And sometimes… we don’t even remember what we’ve given access to. Wrote a quick breakdown here: 👉 https://lnkd.in/dmXTqNgP Curious how others are thinking about this. #cybersecurity #devops #webdev #javascript

A trending GitHub repo. Thousands of developers using it. A private key sitting openly in the code. Nobody noticed. 😶 We scanned it with Relia today. 41 issues. 6 critical. The ones that shocked us most — 🔴 Private key exposed in source code 🔴 Anyone could read any file on the server (path traversal) 🔴 Hardcoded passwords in 10+ files 🔴 Access control completely bypassable 🔴 A bug that crashes the entire pricing system silently This is not a hobby project. This is something people are actively forking and deploying. Right now. In production. The scariest part? The developer probably has no idea. Most developers don't. You write the code. You ship it. You move on. Nobody tells you what's broken until it's too late. That's the gap Relia fills. Paste your repo. Get your full report in minutes. Know before someone else finds it for you. 👇 Full report of this scan in the first comment. See every issue we found — open, detailed, free to read. #GitHub #OpenSource #CodeSecurity #Relia #BuildInPublic #DevTools #CyberSecurity #IndieHackers #VibeCoding

Heads up... If you've been following the Claude Code source leak from March 31, threat actors are already on it. Here's what happened fast: ▪ Anthropic accidentally shipped 513k lines of unobfuscated TypeScript in a source map via npm ▪ Within HOURS it was mirrored on GitHub, racking up tens of thousands of stars ▪ A fake repo titled "Leaked Claude Code" popped up promising unlocked enterprise features... and delivered Vidar infostealer + GhostSocks proxy malware instead ▪ The malicious link was ranking near the TOP of Google results at peak curiosity That's the play. Exploit the hype window before anyone catches on. Why devs are high-value targets: source repos, CI/CD access, cloud creds, API keys. *One compromised dev machine can cascade FAST.* If your team touched Claude Code on March 31 between 00:21 and 03:29 UTC, downgrade and rotate your secrets. Now. Quick checklist: ✅ Alert your dev and security teams ✅ Query endpoints for ClaudeCode_x64.exe ✅ Check Zscaler ThreatLabz for the full IOC set ✅ Watch for typosquatted npm packages from "pacifier136" ✅ Only install Claude Code from Anthropic's official npm package The curiosity tax is real. Verify before you download. #CyberSecurity #InfoSec #Developer #SupplyChainSecurity #AI #Anthropic #npm #ThreatIntelligence

📰 **Hackers Exploit GitHub Copilot Flaw to Exfiltrate Sensitive Data** A high-severity flaw in GitHub Copilot Chat allowed silent theft of source code, API keys, and secrets from private repos without executing code. 🔗 [Citeste articolul aici](https://lnkd.in/dG9JW8SR)

SBOMs catalog your application dependencies. But what catalogs your pipeline dependencies? After the Trivy supply chain compromise last week, we found that most teams couldn't answer a basic question: which of our CI/CD pipelines were actually affected? The problem isn't just direct references. A single "uses:" line in a GitHub Actions workflow can resolve to a chain of five or six nested actions, any one of which could be compromised. Grep your workflows for "trivy-action" and you'll miss the composite actions that silently download and run Trivy internally. So we built ABOM, an open-source tool that generates an Actions Bill of Materials for any GitHub repository. Think SBOM, but for your CI/CD pipeline. It resolves transitive dependencies recursively, detects embedded tools that don't show up as action dependencies, checks against known-compromised actions, and exports to CycloneDX and SPDX so you can plug it into your existing toolchain. Open source, Apache 2.0. Install link and full writeup on the Juliet blog. #opensource #supplychain #cybersecurity #github #kubernetes #devsecops