Cloud Security, Identity, Vulnerability Management

Leaked Shiba Inu AWS credential exposed on public GitHub repository

A Shiba Inu dog
AWS account credentials were leaked on a public code repository of the Shiba Inu crypto token. (Photo by Matt Cardy/Getty Images)

Researchers on Thursday reported on a leaked Shiba Inu AWS account credential on a public code repository, considered serious by security pros because for the two days the credentials were exposed they could have been abused by a hacker.

Pingsafe’s founder Anand Prakash wrote in a blog post that the reason for the leaked credentials was a Shiba Inu developer committing AWS infrastructure keys on a public GitHub repository.

Shiba Inu is a crypto token with a market capitalization of $6.7 billion. Created in August 2020 by an anonymous person or group known as Ryoshi, Shiba Inu now ranks as the 14th largest token by market cap, according to Prakash.

News that Shiba Inu had one of its AWS credentials on a public GitHub repository is troubling for Shiba Inu and any person or company that owns the tokens, said Karl Steinkamp, director at Coalfire.

Steinkamp said development of Shiba Inu or any other crypto-related project doesn’t differ from the development of any other non-crypto software product in that each requires a structured process for development and authorized personnel to push the code into development/test stages and into production.

“While it’s unknown if the credentials were testing credentials or meant to be production credentials, this represents a break in the internal process and likely violated Shiba’s software development lifecycle practices,” Steinkamp said. “Having AWS credentials in the open for two days presents a dangerous window of availability for any malicious attacker to perform any host of malicious activities, which may have included a full compromise of the environment, theft of tokens, and escalation of permissions into other AWS environments.”

Casey Bisson, head of product and developer enablement at BluBracket, said every company with software handles sensitive API keys and passwords, and too many of them are in code repositories. Bisson said too often, a secret in a repo is a secret shared, whether it’s because the repository was accidentally made public, because of insider threats, or because of code theft.

“Those secret keys and passwords connect to a company’s most important assets, including cloud resources, customer data, and financial transactions,” Bisson said. “We recommend every company implement automated scanning in their CI/CD process to identify secrets and other risks in code, and give developers an opportunity to correct them before they become a serious risk.”

Related

LockBit-leaked DC city agency data from third party

Washington, D.C.'s Department of Insurance, Securities and Banking has disclosed that 800GB of data claimed to have been stolen by the LockBit ransomware operation was obtained from an attack against third-party software provider Tyler Technologies following the ransomware gang's threats to expose 1GB of the exfiltrated data to coerce the agency into providing the demanded ransom, reports The Record, a news site by cybersecurity firm Recorded Future.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.