Git configuration files exposed in public repositories are being aggressively dug up and looked into by threat actors to reveal sensitive secrets and authentication tokens unintentionally left behind in Git projects.
A GreyNoise observation recorded a significant spike in search attempts for exposed Git configuration files between April 20 and April 21.
“While the crawling itself is reconnaissance, successful discovery of exposed Git configuration files can lead to exposure of internal codebases, developer workflows, and potentially sensitive credentials,” GreyNoise researchers said in a blog post.
Git configuration files define settings and behaviors for how Git–the distributed version control system–operates, often containing sensitive information such as plain-text credentials including access tokens or hard-coded secrets, remote repository URLs, branch structure and naming conventions, and metadata providing insight into internal development processes.
When developers leave .git/ directories publicly accessible, they unintentionally hand out internal files–prime snooping targets that give attackers a head start.
About 5k unique searches in a day
According to a screenshot shared by GreyNoise, an in-house tracker instrument, “Git Config Crawler” — used to identify IPs crawling the internet for sensitive Git config files — recorded a total of 11,885 unique IPs in the last 90 days, of which nearly 4,800 came between April 20 and April 21 alone.
GreyNoise researchers said they have observed four spikes since September 2024, each involving approximately 3,000 unique IPs. They were observed in September 2024, December 2024, February 2025, and April 2025.
While the GreyNoise report does not specify the exact causes for these spikes, a few possible factors include publicly disclosed vulnerabilities related to Git or associated development tools just before the spike, automated reconnaissance campaigns, responses to exposed Git Configurations, or preparatory stages in targeted cyberattacks.
Snooping attempts originated from all over the world, with hackers from Singapore (4933), the US (3807), Germany (473), and the UK (395) leading these activities in the last 90 days.
Hackers’ favourite for stealing credentials
Threat actors have used this technique earlier in large-scale operations. A threat campaign reported in October 2024, “EmeraldWhale,” scanned for exposed configuration files to steal over 15,000 cloud account credentials from thousands of private repositories.
Hackers have far too much to gain from exposed Git configuration files. “In some cases, if the full .git directory is also exposed, attackers may be able to reconstruct the entire codebase — including commit history, which may contain confidential information, credentials, or sensitive logic,” researchers said.
Last week, cybersecurity researcher Sharon Brizinov reported collecting $64,000 in bug bounty winnings for finding dozens of GitHub repositories still exposing secrets from deleted files owing to Git’s retention of code changes and associated files even after deletion.
The chain of Internet Archive breaches from October 2024 was reportedly carried out using credentials (Gitlab secrets) stolen in the same way. GreyNoise recommended restricting .git directory access from public web servers, blocking access to hidden files and folders in web server configurations, checking logs for repeated requests for .git/config, and rotating any credentials exposed in version control history, to stay ahead of hackers.
The original article found on Kritische Zero-Day-Schwachstelle in SAP NetWeaver | CSO Online Read More
