Hi —
Automated security scan flagged what appears to be an AWS access key + paired secret committed to your public source. I'm not posting the values here for responsible-disclosure reasons.
This is the highest-cost class of credential leak. Bots scrape GitHub for AKIA* + aws_secret_access_key combos and use them within minutes to spin up EC2 / SES / S3 — at someone else's expense. The typical attacker pattern is: spawn 100 GPU instances for crypto-mining, run for 6 hours, your AWS bill comes back ~$8-30K before you notice. There's no recovery — AWS will not refund.
Verified pattern only. I checked that an AKIA key + 40-char secret appear paired in the same file. I did NOT attempt to authenticate (that's the line). The key may already be rotated or restricted — but if it isn't, time matters.
Please contact me at [email protected] and I'll send the exact file path + line + redacted key prefix so you can verify which key it is, in case there are multiple.
The fix (rough order — do it now):
- Disable the key in AWS IAM Console immediately (Users → your user → Security credentials → "Make inactive" on the key). This is faster than rotation.
- Check AWS Billing Console for unexpected charges in the last 30 days. CloudTrail will show every API call the key made.
- Rotate — create a new key, update wherever it's used (CI/CD, server config), then delete the old one.
git filter-repo --invert-paths --path <the-file> to scrub from history. Force-push.
- Going forward: store AWS credentials in environment variables (never in committed files), use AWS IAM roles where possible, enable AWS GuardDuty.
If we're wrong (key is restricted-scope, sandbox account, deliberately public for a demo), reply and we'll close out. No blame intended — almost every Terraform tutorial repo has this pattern at least once.
— Raffa
Lictor AI · https://lictorai.com
Hi —
Automated security scan flagged what appears to be an AWS access key + paired secret committed to your public source. I'm not posting the values here for responsible-disclosure reasons.
This is the highest-cost class of credential leak. Bots scrape GitHub for
AKIA*+aws_secret_access_keycombos and use them within minutes to spin up EC2 / SES / S3 — at someone else's expense. The typical attacker pattern is: spawn 100 GPU instances for crypto-mining, run for 6 hours, your AWS bill comes back ~$8-30K before you notice. There's no recovery — AWS will not refund.Verified pattern only. I checked that an AKIA key + 40-char secret appear paired in the same file. I did NOT attempt to authenticate (that's the line). The key may already be rotated or restricted — but if it isn't, time matters.
Please contact me at [email protected] and I'll send the exact file path + line + redacted key prefix so you can verify which key it is, in case there are multiple.
The fix (rough order — do it now):
git filter-repo --invert-paths --path <the-file>to scrub from history. Force-push.If we're wrong (key is restricted-scope, sandbox account, deliberately public for a demo), reply and we'll close out. No blame intended — almost every Terraform tutorial repo has this pattern at least once.
— Raffa
Lictor AI · https://lictorai.com