Executive Summary
In early 2024, a security engineer conducting a large-scale scan of all 5.6 million public repositories hosted on GitLab Cloud uncovered more than 17,000 exposed secrets—such as API keys, credentials, and tokens—affecting over 2,800 unique domains. Although the incident did not involve a targeted cyberattack, the finding highlights the pervasive risk of accidental data exposure due to developer error or misconfiguration. The exposed secrets could have enabled threat actors to access sensitive services, launch attacks, or exfiltrate data unnoticed, exposing organizations to operational risk, reputational harm, and regulatory scrutiny.
This discovery signals a growing trend as attackers increasingly automate scans for leaked credentials in public code repositories. With supply chain attacks, shadow IT, and cloud misconfigurations rising, such incidents underscore the urgency for automated secret scanning, centralized controls, and enhanced security training for development teams.
Why This Matters Now
As organizations accelerate cloud-native development and adopt DevOps practices, the risk of sensitive data inadvertently being exposed in public repositories is growing. Automated attacker tools quickly scan for these leaked secrets, making rapid detection and remediation critical to prevent breaches, unauthorized access, and potential regulatory violations. Swift organizational action is necessary before risk materializes.
Attack Path Analysis
Attackers scanned public GitLab repositories for exposed secrets, using valid credentials to access cloud or SaaS environments. Leveraging discovered secrets, they escalated privileges by accessing additional sensitive resources and cloud identities. The attackers then moved laterally within cloud infrastructure, targeting connected workloads or services. Command and control channels were established via sanctioned or covert outbound connections. Data was exfiltrated by transferring sensitive information, including credentials and proprietary data, out of the environment. The impact included potential business disruption, unauthorized access, or follow-on attacks leveraging stolen secrets.
Kill Chain Progression
Initial Compromise
Description
Attackers scanned public GitLab repositories to identify and obtain active cloud/API secrets, which they then used to gain unauthorized access into cloud or SaaS environments.
Related CVEs
CVE-2025-0314
CVSS 8.7A cross-site scripting (XSS) vulnerability in GitLab CE/EE allows attackers to inject malicious scripts through improper rendering of certain file types.
Affected Products:
GitLab GitLab CE/EE – 17.2 before 17.6.4, 17.7 before 17.7.3, 17.8 before 17.8.1
Exploit Status:
no public exploitCVE-2025-0475
CVSS 8.7A DOM-based XSS vulnerability in the Kubernetes proxy endpoint of GitLab CE/EE allows attackers to inject malicious JavaScript payloads.
Affected Products:
GitLab GitLab CE/EE – 15.10 to 17.9.0
Exploit Status:
no public exploitCVE-2025-4278
CVSS 8.7An issue in GitLab CE/EE allows attackers to achieve account takeover by injecting code into the search page.
Affected Products:
GitLab GitLab CE/EE – All versions prior to 17.6.4
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Unsecured Credentials: Credentials In Files
Account Discovery
Data from Information Repositories
Exfiltration Over Web Service
Valid Accounts
Exploit Public-Facing Application
Network Service Scanning
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Storage of Sensitive Authentication Data
Control ID: 3.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 9
CISA ZTMM 2.0 – Credential Management and Secret Hygiene
Control ID: Identity - ID.AC-2
NIS2 Directive – Baseline Cybersecurity Requirements
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Cloud misconfiguration exposing 17,000+ secrets across public GitLab repositories directly threatens software development workflows, requiring enhanced egress security and zero trust segmentation.
Financial Services
Exposed secrets in public repositories create massive compliance violations under PCI and regulatory frameworks, demanding immediate multicloud visibility and threat detection capabilities.
Health Care / Life Sciences
GitLab secret exposure violates HIPAA requirements for data protection, necessitating encrypted traffic controls and comprehensive anomaly detection across development environments.
Information Technology/IT
Cloud misconfigurations affecting 2,800+ domains require immediate implementation of cloud-native security fabric and kubernetes security for distributed IT infrastructure protection.
Sources
- Public GitLab repositories exposed more than 17,000 secretshttps://www.bleepingcomputer.com/news/security/public-gitlab-repositories-exposed-more-than-17-000-secrets/Verified
- GitLab Security Release: 17.8.1https://about.gitlab.com/releases/2025/01/22/patch-release-gitlab-17-8-1-released/Verified
- Security Advisory 2025-020https://cert.europa.eu/publications/security-advisories/2025-020/pdfVerified
- Security Updates – GitLab Community Edition and Enterprise Editionhttps://assets.adgm.com/download/assets/20250228%2B-%2BSecurity%2BUpdates%2B%E2%80%93%2BGitLab%2BCommunity%2BEdition%2Band%2BEnterprise%2BEdition%2B-%2BAlert%2B178.pdf/f991b618f7e911efad51dab83beef992Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, microsegmentation, egress security, and real-time anomaly detection would have contained the attacker to initial footholds, prevented unrestricted lateral movement, and blocked or detected unauthorized data exfiltration and C2. Centralized visibility and policy enforcement could have detected abuse of secrets and restricted their scope across the cloud environment.
Control: Threat Detection & Anomaly Response
Mitigation: Suspicious authentications or misuse of secrets could be rapidly detected and alerted.
Control: Zero Trust Segmentation
Mitigation: Identity-based policies restrict resource access even with valid but unauthorized credentials.
Control: East-West Traffic Security
Mitigation: Movement between cloud workloads/services is constrained and monitored for anomalous patterns.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound connections to unapproved destinations can be blocked or alerted.
Control: Cloud Firewall (ACF)
Mitigation: Unusual data transfers and large egress volumes are detected and stopped.
Centralized observability and auditing facilitate rapid post-incident remediation.
Impact at a Glance
Affected Business Functions
- Software Development
- Cloud Infrastructure Management
- Data Security
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive credentials, including API keys and access tokens, leading to unauthorized access to cloud services and databases.
Recommended Actions
Key Takeaways & Next Steps
- • Immediately audit public code repositories for embedded secrets and rotate any exposed credentials.
- • Enforce zero trust segmentation and least-privilege access across cloud and SaaS environments to limit blast radius.
- • Implement continuous anomaly and threat detection for rapid identification of credential misuse or unauthorized access.
- • Apply strict egress controls and traffic policies to prevent unauthorized outbound connections and data exfiltration.
- • Centralize visibility and policy management to enable faster incident response and reduce risk exposure from future cloud misconfigurations.
