Damn... some dude has his full SSH credentials to his webserver in his published NPM package...
I have to tell him 😅

Bots must have done all the harm already, He must have revoked it already.

@theabbie No, the credentials work... I've just connected to the server to make sure they're not dummy creds 😅
The script (containing the creds) seems to be added during package creation on the server as it is not in the public Github repo...

@PonySlaystation Poor Guy, Forgive him if possible

I can't put my finger on why, but that seems bad.

Destroy him/her otherwise he/she might repeat this again

@MisterSingh @molaram Nah, I'm white hat 😄

He has just responded and will fix it ASAP as possible 🥳

@PonySlaystation
http://quickmeme.com/img/45/...

@PonySlaystation GJ job

Heh, they're probably using a build tool that inlines environment variables so aaaaall the secrets go straight from their .env into the source

@PonySlaystation i'd have created a new key pair, put the public one on his server and sent him the private one. Then remove the leaked key. This way you ensure no damage can be done...

@eval You idea is interesting, but if I actively change anything on the server, I make myself targetable... I'd rather not touch anything 😉

@PonySlaystation This and might get legal issues if you actually change/modify anything on the server

Tell him by leaving a polite text file in the root of his server.

Heh... I published a little Lambda script for cleaning up EC2 snapshots and though I caught it myself, for a few minutes the IAM user creds were exposed in one of the source files.

git commit -m “I’ve made a terrible mistake”

@HiFiWiFiSciFi I hope you reversed the commit and didn't just commit a fix over it 😄