Programmer and security expert Paul Price released a new web app, called Shhgit. The app can scan the web-based GitHub codes to find private crypto keys. Those sensitive secrets can be used to cause data breaches by third parties. Price also claims that developers sometimes may unwillingly leak secrets across public code repositories. To avoid such situations, Price said, “config files should be encrypted with an environment-based key.” Price’s tool can help to search for secrets that may accidentally commit, so developers can delete that sensitive information before hackers can exploit them.
Price also states in his blog post:
“What I wasn’t expecting to find was valid package manager API keys, i.e., npm for Node.js; PyPi for Python; and NuGet for C#. The total number of downloads for these packages is in the millions. And the majority of these keys had publishing permissions. Meaning a bad actor could theoretically embed malicious code into the packages, reupload them without detection, and potentially infect millions of devices.”