Private Key Exposed in GitHub Repo

A trending GitHub repo. (~100K star) A private key is sitting openly in the code. Here's the full Relia scan report📄 https://lnkd.in/d4zKQZYE

A trending GitHub repo. Thousands of developers using it. A private key sitting openly in the code. Nobody noticed. 😶 We scanned it with Relia today. 41 issues. 6 critical. The ones that shocked us most — 🔴 Private key exposed in source code 🔴 Anyone could read any file on the server (path traversal) 🔴 Hardcoded passwords in 10+ files 🔴 Access control completely bypassable 🔴 A bug that crashes the entire pricing system silently This is not a hobby project. This is something people are actively forking and deploying. Right now. In production. The scariest part? The developer probably has no idea. Most developers don't. You write the code. You ship it. You move on. Nobody tells you what's broken until it's too late. That's the gap Relia fills. Paste your repo. Get your full report in minutes. Know before someone else finds it for you. 👇 Full report of this scan in the first comment. See every issue we found — open, detailed, free to read. #GitHub #OpenSource #CodeSecurity #Relia #BuildInPublic #DevTools #CyberSecurity #IndieHackers #VibeCoding

For my final year project, I really didn't want to just write a theoretical paper. I wanted to see how attacks actually happen in real-time. So, my project partner and I decided to build a custom, AI-driven deception network from scratch. The idea was simple but the execution was tough: instead of just trying to block attackers, we wanted to trap them, study them, and adapt to their movements. We set up isolated lab environments and deployed Cowrie and Dionaea honeypots using Docker to safely capture what the attackers were trying to do. The coolest part? Figuring out the log pipeline. Routing all that raw interaction data through Filebeat into Logstash, and finally getting it to visualize in Elasticsearch and Kibana, was a massive learning curve, but totally worth it. We’re now gearing up to simulate a full, stealthy APT attack using Kali Linux against our Ubuntu Server setup to see how the system holds up. Has anyone else built out an ELK stack for their home lab? Would love to hear how you optimized your log parsing! #cybersecurity #ELKStack #HomeLab #SOCAnalyst #ThreatDetection #StudentProject #ThreatHunting Muhammad Faheem SNSKIES Tauseef Ahmed NADEEM IQBAL Dr. Jan Badshah

Anthropic accidentally leaked Claude Code's source code via a packaging error — exposing ~512,000 lines across 1,900 files. Then, while trying to clean it up, their DMCA takedown swept up ~8,100 GitHub repos — including legitimate forks of their own public repository. The company has since retracted the bulk of the notices and GitHub restored access, but the damage to developer trust is done. Key takeaways: → Release management matters as much as the product itself → Overbroad legal action can backfire fast → Transparency and quick correction helped limit the fallout This is Anthropic's third code/data leak in under a year — right as they reportedly prepare for an IPO. 📰 Source: TechCrunch, The New Stack #TechNews #Anthropic #ClaudeCode #GitHub #AI #CyberSecurity #DeshTek

A single git push was enough to own GitHub’s backend infrastructure. Wiz Research just disclosed CVE-2026-3854 (CVSS 8.7) and the details are worth a close read. The attack: ✦ Unsanitized push option values allowed injection into GitHub’s internal protocol headers ✦ 3 chained injections: override rails_env → hijack custom_hooks_dir → path traversal via repo_pre_receive_hooks ✦ Result: arbitrary RCE as the git service user, with read access to repos across shared storage nodes What makes this stand out: ✦ Wiz used IDA MCP for AI-assisted reverse engineering of closed-source binaries, likely one of the first critical CVEs discovered this way ✦ GitHub patched GitHub.com in under 2 hours. Forensics confirmed zero exploitation before disclosure ✦ ~88% of GitHub Enterprise Server instances remain unpatched as of today If you run GHES, upgrade to 3.19.4+ immediately. The broader lesson: when services written in different languages share an internal protocol, each service’s assumptions about that data become an attack surface. AI is now accelerating vulnerability research in closed-source systems. That’s a shift worth watching. Source: - https://lnkd.in/ecAFrQM3 - https://lnkd.in/eA4PEsvE #GitHub #CVE #CloudSecurity #AppSec #MCP #AIInSecurity #DevSecOps #InfoSec #RCE #CyberSecurity

A few weeks ago I posted about launching V1 of my portfolio. Since then I've completely rebuilt it from the ground up. 🚀 Same URL, very different site - not in the way you may expect. What changed: 🔹Migrated from SQLite to PostgreSQL 🔹Added a full admin panel with RBAC, audit logging, and server-side session management 🔹Built a blog and project management system with Markdown support 🔹Moved to a self-managed Hetzner VPS with Nginx + Gunicorn 🔹Kept Cloudflare Tunnels, origin IP still never exposed Security was a big focus this time around: 🔹HSTS, CSP, Permissions-Policy headers 🔹Scrypt password hashing, rate limiting, magic bytes image validation 🔹fail2ban, UFW, SSH key-only on a non-standard port 🔹107 automated tests covering auth, CRUD, XSS, and security headers It is not just a portfolio anymore. It is a live project I will keep building on as I work toward running everything from my own home lab. Check it out: www.charles-thomas.dev #python #flask #cybersecurity #homelab #networking #buildinpublic

A few weeks ago I posted about launching V1 of my portfolio. Since then I've completely rebuilt it from the ground up. 🚀 Same URL, very different site - not in the way you may expect. What changed: 🔹Migrated from SQLite to PostgreSQL 🔹Added a full admin panel with RBAC, audit logging, and server-side session management 🔹Built a blog and project management system with Markdown support 🔹Moved to a self-managed Hetzner VPS with Nginx + Gunicorn 🔹Kept Cloudflare Tunnels, origin IP still never exposed Security was a big focus this time around: 🔹HSTS, CSP, Permissions-Policy headers 🔹Scrypt password hashing, rate limiting, magic bytes image validation 🔹fail2ban, UFW, SSH key-only on a non-standard port 🔹107 automated tests covering auth, CRUD, XSS, and security headers It is not just a portfolio anymore. It is a live project I will keep building on as I work toward running everything from my own home lab. Check it out: www.charles-thomas.dev #python #flask #cybersecurity #homelab #networking #buildinpublic

Your entire CI/CD pipeline just became a backdoor. Here’s how one developer’s npm install turned into a full-scale supply chain breach. The Problem The Bitwarden CLI ` bitwarden/cli 2026.4.0` was compromised via a compromised GitHub Action in the CI/CD pipeline. The malicious code was executed through a preinstall hook. The Agitation This isn’t a simple data leak. The malware: - Steals GitHub/npm tokens, SSH keys, `.env` files, shell history, and cloud secrets. - Targets AI coding tool configurations Claude, Cursor, Codex CLI . - Encrypts stolen data with AES-256-GCM and exfiltrates it to `audit.checkmarx . cx`. - Uses stolen GitHub tokens to inject malicious Actions workflows into repositories. One infected developer token can compromise every CI/CD pipeline it touches. The data is publicly exfiltrated to GitHub repositories, making it accessible to anyone searching. The Solution This attack exploits trusted publishing and supply chain vulnerabilities that most teams overlook. Your immediate actions: - Audit all npm packages for suspicious preinstall hooks. - Rotate all GitHub tokens and npm credentials immediately. - Review GitHub Actions workflows for unauthorized modifications. - Monitor for exfiltration to public repositories with Dune-themed naming patterns. The attack vector is clear: compromised CI/CD pipelines. The defense requires zero-trust for every dependency. How is your team securing your infrastructure against this type of exploitation? Let’s discuss in the comments below. #SupplyChainSecurity #DevSecOps #CICDPipeline

9 hours and 41 minutes. That's how long it took from CVE disclosure to active exploitation in the wild. CVE-2026-39987 hit Marimo — the Python notebook with 18K GitHub stars and 1M+ monthly downloads — with a 9.3 CVSS pre-auth RCE. The bug is embarrassingly simple. Every endpoint in Marimo calls validate_auth(). Every endpoint except /terminal/ws. That WebSocket just checks your OS platform and hands you a full PTY shell. No token. No session. Nothing. One WebSocket connection = root access to the host. Sysdig's honeypots caught the first exploit attempts before most teams even read the advisory. Complete credential theft took under 3 minutes from initial connection. What makes this worse: versions through 0.20.4 are all vulnerable. The fix isn't in 0.20.5 — it's in 0.23.0. Three full minor versions shipped with this endpoint wide open before anyone added auth to it. CISA added it to the KEV catalog. The federal patch deadline is today, April 11. If you're running Marimo on anything network-accessible — a cloud VM, a shared dev box, even localhost with port forwarding — you need to update right now. Not after standup. Not after lunch. Patch-Tuesday thinking is dead for developer tools exposed to the internet. A 10-hour exploit window doesn't care about your change management process. How many other developer tools are sitting on unauthenticated WebSocket endpoints right now? #CyberSecurity #CVE #Python #DevSecOps #InfoSec

THOUSANDS OF ANTHROPIC API KEYS ARE SITTING EXPOSED ON GITHUB RIGHT NOW. Anyone can find them. Search "claude_desktop_config" on GitHub. Hundreds of real API keys. Sitting in public repos. Uploaded by people who had no idea they were leaking their credentials to the entire internet. This is the dark side of vibe coding nobody talks about. People are shipping fast. Pasting config files. Pushing to GitHub without thinking. And leaving the keys to their entire AI stack exposed to anyone who knows where to look. If you use Claude and have ever pushed a config file to a public repo you need to check this right now. Go to Anthropic console. Regenerate your API keys. Set up a .gitignore that blocks config files before you push anything ever again. The vibe coding wave is real and powerful. But moving fast and leaking your keys is not shipping. It is leaving your front door open and wondering why someone walked in. Check your repos today. #github #cybersecurity