Hackers ramp up scans for leaked Git tokens and secrets www.bleepingcomputer.com/news/secu…

Threat actors are intensifying internet-wide scanning for Git configuration files that can reveal sensitive secrets and authentication tokens used to compromise cloud services and source code repositories. In a new report from threat monitoring firm GreyNoise, researchers have recorded a massive spike in searches for exposed Git configs between April 20-21, 2025.

Developers or companies deploy web applications without correctly excluding .git/ directories from public access, inadvertently exposing these files to anyone. Scanning for those files is a standard reconnaissance activity that provides numerous opportunities for threat actors.

In October 2024, Sysdig reported about a large-scale operation named “EmeraldWhale” which scanned for exposed Git config files, snatching 15,000 cloud account credentials from thousands of private repositories.