"Thousands of Publicly Exposed API Tokens Could Threaten Software Integrity"

Security researchers at JFrog have spotted thousands of publicly exposed, active application programming interface (API) tokens across the web that could threaten software integrity and allow bad actors to access confidential information, data, or private networks.  The researchers reportedly scanned over eight million artifacts in the most common open-source software registries, including npm, PyPI, RubyGems, crates.io, and DockerHub, to find and verify leaked API tokens.  The researchers stated that in the case of npm and PyPI packages, the scan also included multiple versions of the same package to try and find tokens that were once available but removed later.  The scan results showed that Amazon Web Services (AWS), Google Cloud Platform (GCP), and Telegram API tokens were the most leaked tokens.  At the same time, the figures showed Amazon developers revoked 53% of all inactive tokens, while GCP only revoked 27%.  The researchers stated they privately disclosed all leaked secrets to their respective code owners (ones who could be identified), offering them a chance to replace or revoke the secrets as needed.  Regarding what secrets had been disclosed, JFrog mentioned the list included plaintext API keys, credentials, expired certificates, and passwords.

Infosecurity reports: "Thousands of Publicly Exposed API Tokens Could Threaten Software Integrity"