RSS

We leaked 75 AWS keys to see who watches private repos turn public

peternovakdev1 pts0 comments

Who's watching private repos turn public? We leaked 75 AWS keys to find out - Codatus

CODATUS

← All posts

Who's watching private repos turn public? We leaked 75 AWS keys to find out

June 6, 2026

Make a private repo public and it stays undiscovered for 6 minutes. Past that, the internet is reading it. We put a live AWS key in 75 throwaway repos, made each public for one of five timed windows from 60 seconds to 12 hours, 15 repos per window, and logged every use. The key was just a tripwire. What we wanted to know is how long it takes anyone watching to notice, and what their intent is once they have.

What follows are the answers, and then the part that matters more for most teams: without enterprise tooling, the repo could go public and nobody would reliably hear of it.

How fast the watchers noticed, and with what intent

Each dot in the chart below is one time something touched a key, placed by how long after the repo went public it landed, on a log scale. Hover any dot for the detail.

Two things are visible. First, the earliest action on a newly public repo came at 6 minutes, and most first visits landed around minute 8. Second, keys are used even after the repos were hidden again, so going private is not enough to undo the exposure.

The parties that showed up split three ways. Only one went further than the rest and probed the account behind the key. Most did nothing but check, over and over, that the key still worked. And one was not an outside party at all: AWS, locking the key down on a signal from GitHub.

The one that went further

Outside parties used the keys 139 times. 5 of those came from a single host running the AWS SDK for Python. It called DescribeInstances to list EC2 machines and ListTables to list DynamoDB tables, mapping out the account rather than just confirming the key worked. That was the only hands-on activity in the whole run, and it touched just 2 repos.

The ones that only checked

The harvesters. 126 of the 139 uses came from a single operation on 2 OVH cloud IPs, every call a GetCallerIdentity check that the key was live and nothing more. It touched 32 repos and kept re-checking captured keys for a day; 38 of the 139 hits landed after the repo was already private again.

The TruffleHog-based scanner. 8 uses came from one Hetzner host running TruffleHog, the open-source secret scanner. It called GetCallerIdentity once per repo across 8 repos and moved on.

The email scanners. GitGuardian and a service called leakscanner found the keys and emailed us, GitGuardian on 9 repos, leakscanner on 1. We cannot tie any of the 139 uses to either of them; for all the data shows, they read the repo, emailed, and went no further.

Not an outside party: AWS

The moment a repo went public, GitHub’s free, built-in secret scanning kicked in and reported the exposed secret to AWS. AWS then attached a quarantine policy that strips the key of its dangerous permissions. That lockdown, the green dots in the chart, did not land until 4.5 to 9 hours after exposure. Because the catch is GitHub’s own, even the 60-second repos had their keys quarantined, the ones no outside party ever reached.

The blind spot below enterprise tools

Whoever showed up, the exposure was the same. A repo goes public, the internet starts reading at minute 6, and the source sits exposed beside the key. And the flip isn’t always an accident: turning a private repo public is a recognized way to exfiltrate code, watched for by detection rules and catalogued by MITRE. You can rotate a key; you can’t un-share code.

GitHub logs the flip and tells you nothing, the same as branch protection coming off, a check dropped, a reviewer removed, or scanning switched off. Tools that catch it do exist. The security-posture platforms big companies run will flag it, but they assume a security team to run them and a budget to match, so a smaller team that only wants to know when a repo setting changes has nothing built for it.

Closing the blind spot

That’s what we’re building Codatus for: a read-only install that watches the settings this post is about, a repo going public, branch protection coming off, a check or reviewer dropped, scanning switched off, and tells you the moment one changes. We’re planning to launch at $99/month, with early users locked in at that rate.

Reserve early access

public repo repos keys private from

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.