Exposed SMTP Credentials Found in LawGPT Repository History, GitGuardian Alert Warns

GitGuardian's automated scanning detected exposed SMTP credentials embedded in the git history of the viru0909-dev/LawGPT repository, flagging a security risk linked to the Nyay Setu platform. The credentials, found in application.properties files, predate recent contributions to the repository, suggesting the exposure has persisted for an extended period.

The vulnerability allows unauthorized parties to exploit the configured mail server for sending emails, creating pathways for spam distribution, phishing campaigns impersonating the Nyay Setu domain, or exhaustion of email sending quotas. If the exposed credentials belong to a Gmail account, attackers could potentially compromise the associated account entirely, expanding the scope of the breach beyond email abuse.

The reporter has outlined immediate remediation steps: rotate any exposed SMTP credentials without delay, use git-filter-repo to purge the sensitive data from git history, and ensure application.properties containing live credentials are added to .gitignore. The incident underscores a recurring development workflow failure—sensitive configuration data committed to version control—despite widespread availability of secret scanning tools designed to prevent such exposures.