https://sysdig.com/blog/emeraldwhale

A large-scale cyber operation named “EmeraldWhale” has compromised thousands of private repositories by exploiting exposed Git configuration files.

Hackers used automated tools to scan a massive range of IP addresses for exposed Git configuration files (/.git/config). These files can contain sensitive information like authentication tokens for cloud services, email providers, and Git platforms (GitHub, GitLab, BitBucket). Stolen tokens were used to download private repositories and extract even more credentials. The stolen data, including over 15,000 cloud credentials, was used for phishing, spam campaigns, and potentially sold to other criminals.

This is not a sophisticated attack as it can be performed using commonly available tools and automation, yet it can have severe consequences. It is recommended to use dedicated secret management tools and avoid hardcoding credentials in Git configuration files. And for organizations to educate developers on secure Git practices and monitor for exposed repositories.

This incident highlights the importance of securing Git configurations and underlines the value of stolen credentials on the black market.