Skip to content

Security report — possible AWS access key + paired secret in committed source (please contact privately) #27

Description

@Raffa-jarrl

Hi —

Automated security scan flagged what appears to be an AWS access key + paired secret committed to your public source. I'm not posting the values here for responsible-disclosure reasons.

This is the highest-cost class of credential leak. Bots scrape GitHub for AKIA* + aws_secret_access_key combos and use them within minutes to spin up EC2 / SES / S3 — at someone else's expense. The typical attacker pattern is: spawn 100 GPU instances for crypto-mining, run for 6 hours, your AWS bill comes back ~$8-30K before you notice. There's no recovery — AWS will not refund.

Verified pattern only. I checked that an AKIA key + 40-char secret appear paired in the same file. I did NOT attempt to authenticate (that's the line). The key may already be rotated or restricted — but if it isn't, time matters.

Please contact me at [email protected] and I'll send the exact file path + line + redacted key prefix so you can verify which key it is, in case there are multiple.

The fix (rough order — do it now):

  1. Disable the key in AWS IAM Console immediately (Users → your user → Security credentials → "Make inactive" on the key). This is faster than rotation.
  2. Check AWS Billing Console for unexpected charges in the last 30 days. CloudTrail will show every API call the key made.
  3. Rotate — create a new key, update wherever it's used (CI/CD, server config), then delete the old one.
  4. git filter-repo --invert-paths --path <the-file> to scrub from history. Force-push.
  5. Going forward: store AWS credentials in environment variables (never in committed files), use AWS IAM roles where possible, enable AWS GuardDuty.

If we're wrong (key is restricted-scope, sandbox account, deliberately public for a demo), reply and we'll close out. No blame intended — almost every Terraform tutorial repo has this pattern at least once.

— Raffa
Lictor AI · https://lictorai.com

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions