Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
@theabbie No, the credentials work... I've just connected to the server to make sure they're not dummy creds 😅
The script (containing the creds) seems to be added during package creation on the server as it is not in the public Github repo... -
@MisterSingh @molaram Nah, I'm white hat 😄
He has just responded and will fix it ASAP as possible 🥳 -
Heh, they're probably using a build tool that inlines environment variables so aaaaall the secrets go straight from their .env into the source
-
eval6764y@PonySlaystation i'd have created a new key pair, put the public one on his server and sent him the private one. Then remove the leaked key. This way you ensure no damage can be done...
-
@eval You idea is interesting, but if I actively change anything on the server, I make myself targetable... I'd rather not touch anything 😉
-
@PonySlaystation This and might get legal issues if you actually change/modify anything on the server
-
Heh... I published a little Lambda script for cleaning up EC2 snapshots and though I caught it myself, for a few minutes the IAM user creds were exposed in one of the source files.
git commit -m “I’ve made a terrible mistake” -
@HiFiWiFiSciFi I hope you reversed the commit and didn't just commit a fix over it 😄
Related Rants
Damn... some dude has his full SSH credentials to his webserver in his published NPM package...
I have to tell him 😅
rant
ssh
credentials
security fail
npm