Hackers browse scans for leaked git token and secrets

Threat players intensify the internet width for GIT configuration files that can be used to display sensitive secrets and authentication tokens that are used to compromise on cloud services and source code repositors.

In a new report by the threat monitoring company Greynoise, researchers have recorded a massive increase in the search for exposed GIT configurations between April 20 and 2025.

“Greynoise observed almost 4,800 unique IP addresses daily from 20 to 21 April and marked a significant increase compared to typical levels,” said Greynoise in the report.

“Although the activity was distributed worldwide, Singapore was classified both as a top source and as a goal for meetings, followed by the USA and Germany as the next goal.”

GIT configuration files are configuration files for GIT projects that can contain branch information, remote -repository urls, hooks and automation scripts as well as account registration information and access.

Developers or companies provide web applications correctly without .git/ directories from public access correctly, and which accidentally exposes these files to everyone.

Scanning according to these files is a standard clarification activity that offers numerous options for threat players.

In October 2024, Sysdig reported on a large-scale process called “Emeraldwhale”, which scanned for exposed GIT configuration files and defeated 15,000 cloud account registration information from thousands of private repositories.

The theft of registration information, API key, SSH-private keys or even internal URLs only enables internal URLs, the threats can access confidential data, crafting attacks and privileged accounts.

This is the exact method with which the “The Wayback Machine” of Internet Archive violates in October 2024 and then despite the efforts of the owner to thwart the attacks.

Greynoise reports that the latest activity is mainly aimed at Singapore, the USA, Spain, Germany, Great Britain and India.

The malicious activity culminates in waves, with four remarkable cases being recorded since the end of 2024 in November, December, March and April. The youngest was the highest band attack wave that the researchers registered.

In order to mitigate the risks that result from these scans, it is recommended to block access to .git/ directories, configure web servers in order to prevent access to hidden files, to monitor server protocols for suspicious. GIT/ configuration access and to turn potentially exposed registration.

If web server access protocols indicate an unauthorized access to GIT configurations, all of the cancellation information stored in them should be turned immediately.