This page collects WhisperX intelligence signals tagged #credentials. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A security vulnerability report generated by the RSOLV scanner has identified HIGH severity hardcoded secrets within the RSOLV-dev/nodegoat-vulnerability-demo repository. The scan, conducted on March 4, 2026, found two instances of a hardcoded API key across two configuration files. The vulnerability is classified unde...
A threat actor has executed a sophisticated supply chain attack against Aqua Security's critical open-source security tools. Using compromised credentials, the attacker published a malicious version of the Trivy vulnerability scanner (v0.69.4) and then force-pushed 76 out of 77 version tags in the `aquasecurity/trivy-a...
A critical security vulnerability has been confirmed in the OpenBao Secrets Operator, where sensitive HTTP basic authentication credentials can be written in plain text to log files. The flaw, tracked as GO-2024-2947, is classified as 'reachable' by automated analysis tools, meaning the vulnerable code path is active a...
A critical security vulnerability allows any unauthenticated client to retrieve the credentials for a TURN server directly from a public API endpoint. The `/api/voice/ice` endpoint returns the username and password for the TURN (Traversal Using Relays around NAT) server without requiring any form of authentication. Thi...
A critical security vulnerability has been confirmed in the OpenBao Secrets Operator, where sensitive HTTP basic authentication credentials can be written in plain text to log files. The flaw, tracked as GO-2024-2947, is classified as 'reachable' by automated scanning tools, meaning the vulnerable code path is actively...
A critical security vulnerability in a core error-handling function is exposing sensitive data—including passwords, API keys, and personal information—directly into application logs and error messages. The flaw resides in the `error()` function within `packages/core/src/error/builder.ts`, where the default behavior use...
A critical supply chain attack has compromised the official GitHub Actions for Aqua Security's Trivy vulnerability scanner. On March 19, 2026, a threat actor used stolen credentials to publish a malicious Trivy v0.69.4 release and then force-pushed 76 out of 77 version tags in the `aquasecurity/trivy-action` repository...
A confirmed, reachable vulnerability in the OpenBao Secrets Operator's main branch is actively leaking sensitive HTTP basic authentication credentials to log files. The security flaw, tracked as GO-2024-2947, stems from a failure to sanitize URLs before they are written to logs within a critical dependency. This create...
A sophisticated supply chain attack has compromised the widely used `aquasecurity/trivy-action` GitHub Action, with a threat actor using stolen credentials to force-push malware to 76 out of 77 version tags. The attack, detailed in a GitHub security advisory, began on March 19, 2026, when the actor published a maliciou...
A sophisticated supply chain attack has compromised the official GitHub Actions for Aqua Security's Trivy, a critical open-source security scanner used by millions of repositories. Threat actors used stolen credentials to publish a malicious Trivy v0.69.4 release and then force-pushed 76 out of 77 version tags in the `...
A sophisticated supply chain attack has compromised the core security tools of Aqua Security's Trivy project. Threat actors, using compromised credentials, successfully published malicious software releases and overwrote dozens of version tags with credential-stealing malware, directly targeting the software supply cha...
SonarCloud has triggered a major vulnerability alert across the codebase, identifying 12 instances where variables or parameters named 'password' could represent hardcoded credentials. The S2068 rule, which governs this detection, is designed to catch potential secrets embedded directly in source code—a critical securi...
A critical security vulnerability has been identified in a production codebase, where database migration scripts are logging plaintext passwords directly to console output. The flaw, classified as a P0 high-severity issue, involves two specific functions within the `server/src/db/migrations.ts` file. On line 288, the `...
A critical security vulnerability has been exposed within a main.py file, where sensitive credentials like API keys or passwords are embedded directly into the source code. This practice, known as hardcoding, leaves the entire application and its connected systems open to immediate compromise if the code repository is ...
A critical security vulnerability has been discovered within the main.py file, where sensitive credentials are hardcoded directly into the source code. This practice embeds usernames and passwords in plain text, creating a severe exposure point. If the repository is compromised, these credentials can be easily extracte...
A critical security vulnerability has been discovered within a codebase, exposing hardcoded database credentials directly in the main.py file. This practice creates a severe and immediate risk, as any leak or compromise of the source code would grant attackers direct, unauthorized access to the database and its sensiti...
A critical vulnerability in the widely used `go-git` library risks leaking HTTP authentication credentials during standard Git operations. The flaw, tracked as GHSA-3xc5-wrhm-f963, is triggered when a remote repository responds to a clone or fetch request with a redirect to a different host. In this scenario, the libra...
A critical security vulnerability in Clawith v1.8.1 allows its AI Agent to directly expose sensitive environment variables, including database passwords, to users. This flaw effectively turns the Agent into a conduit for credential exfiltration, where simple conversational prompts can force it to reveal secrets like th...