Summary: Threat actors are ramping up scanning efforts for exposed Git configuration files, which can leak sensitive data and credentials, with a significant increase in such activity noted between April 20-21, 2025. This reconnaissance technique poses serious risks, as demonstrated by previous incidents where credentials were stolen to compromise systems and repos. Organizations worldwide, especially in Singapore, the U.S., and Germany, are urged to implement protective measures against these threats.
Affected: Organizations utilizing Git repositories and cloud services
Keypoints :
- Recent analysis from GreyNoise indicates a dramatic rise in IP addresses scanning for exposed Git configs, with nearly 4,800 unique IPs recorded daily.
- Previously successful operations leveraging such scans have led to the theft of 15,000 cloud credentials, highlighting the severe implications of exposure.
- Recommended mitigation strategies include blocking access to .git/ directories, reviewing server logs for unusual access, and rotating any potentially compromised credentials.