A free automated tool that lets anyone scan public GitHub repositories for exposed AWS credentials has been released.
Before you say anything, yes, we’re pretty sure similar programs and services are out there, but hey, where’s the harm in highlighting today the fact that this sort of software is easily available?
Security engineer Anmol Singh Yadav built AWS-Key-Hunter after he found more than 100 exposed AWS access keys, some with high privileges, in public repositories, “just waiting to be exploited,” as he wrote in a blog about the discovery and the custom-built tool.
Leaked security keys can be abused by criminals to hijack people’s cloud accounts and access their AWS resources. This leads to all manner of evil deeds: Stealing compute power, illegally mining for cryptocurrency, exfiltrating financial details and other sensitive data, and then demanding a ransom payment, and changing system configurations, just to name a few.
As we said, there are existing techniques and tools that make it easier to find leaked secrets – presumably your own so you can take the necessary steps to revoke the compromised access key and create a new one.
Github Dorking, for example, refers to the practice of using GitHub’s advanced search operators to construct queries that can locate environment files, JSON configurations, and source code files potentially containing credentials. However, because it relies on static keyword searches, this method may not effectively reveal secrets that have been obfuscated or encoded.
My goal was never to weaponize it but rather to raise awareness about how common these exposures are and encourage better security hygiene
There’s also TruffleHog, an open-source tool that scans Git repositories for high-entropy strings and credential patterns to help identify potential hardcoded AWS keys. High-entropy strings are character sequences designed to be extremely unpredictable, a critical feature for ensuring strong security.
However, TruffleHog isn’t designed for real-time monitoring and may sometimes generate false positives “due to its reliance on entropy-based detection,” Yadav argued.
So he developed an automated AWS key detection tool that continuously monitors GitHub repositories for exposed keys and sends real-time alerts when it detects a secret.
AWS-Key-Hunter periodically retrieves commits from target repositories and scans for AWS keys in both plaintext and base64-encoded formats. When it identifies an exposed key, it sends an immediate alert to a dedicated Discord channel.
And while Yadav says this type of automated tool “helps catch leaks before attackers do,” it could also be weaponized, if pointed at another user’s public repos.
There is a big disclaimer on the blog and Yadav’s GitHub.
“This tool was created for educational and experimental purposes only,” he wrote. “They are not intended to be used for malicious activities or to harm others in any way.”
But criminals are an innovative bunch, especially when a free tool or proof-of-concept is presented to them, and aren’t always keen to follow the don’t-use-for-evil rules.
When asked if he was concerned about the tool being weaponized, Yadav told The Register “this was intended as a social experiment to understand the scale of publicly exposed AWS keys on GitHub.”
Yadav said he was surprised by what he found when searching for exposed secrets, and added that his findings underscore the need for better security.
“I completely understand the risks associated with such tools, which is why I included clear disclaimers to emphasize ethical use,” Yadav said. “My goal was never to weaponize it but rather to raise awareness about how common these exposures are and encourage better security hygiene.” ®