Thousands of API Credentials Exposed Across 10,000 Websites, Researchers Warn A recent analysis of 10 million websites has revealed nearly 2,000 exposed API credentials across 10,000 webpages, posing a significant security risk to organizations. Conducted by researchers from Stanford University, the University of California, Davis, and TU Delft, the study used the tool TruffleHog to scan for sensitive credentials embedded in public-facing web content. The findings, detailed in a preprint paper, identified 1,748 valid credentials for major services, including AWS, GitHub, and Stripe. These credentials belonging to multinational corporations, critical infrastructure providers, and government agencies grant programmatic access to cloud platforms, payment systems, and firmware repositories. Among the most concerning discoveries was a global bank exposing cloud credentials on its website, potentially allowing access to core infrastructure. Another case involved firmware repository credentials for drones and remote-controlled devices, raising concerns about malicious updates. The majority of exposed credentials were found in JavaScript files, with AWS credentials accounting for over 16% of verified exposures. Researchers emphasized that this overlooked attack vector credentials embedded in webpages rather than code repositories presents a direct threat to sensitive systems. The study underscores the need for organizations to monitor and secure publicly accessible web assets to prevent unauthorized access.

Moltbot Framework Exposes 1,400+ Instances via mDNS Misconfigurations Security researchers have uncovered a widespread exposure of 1,487 Moltbot instances globally, leaking sensitive operational metadata and messaging platform credentials through misconfigured multicast DNS (mDNS) broadcasts. The open-source framework, designed for autonomous agent orchestration, inadvertently disclosed system-level details including hostnames, filesystem paths, service ports, and identity artifacts to any device on the same network segment. ### Key Findings - Exposed Data: Full machine hostnames, Clawdbot Control panel ports (18789), SSH ports, internal IPs, and messaging platform credentials (Signal, Telegram, WhatsApp) containing registration secrets and identity keys. - Geographic Spread: Instances were found across 53 countries, with the highest concentration in the U.S. Major hosting providers included DigitalOcean, AWS, and OVH. - Accessible Control Panels: 88 instances had publicly exposed web interfaces, with 66 leaking both mDNS and web access simultaneously. - Credential Leakage: Open directory listings revealed operational logs, cryptographic material, and runtime caches, enabling full agent impersonation without exploiting vulnerabilities. - Network Reconnaissance: mDNS broadcasts, intended for local service discovery, acted as pre-authentication metadata leaks, exposing systems in workplace Wi-Fi, co-working spaces, and university networks. ### Deployment Failures & Attack Surface The exposure stems from poor deployment hygiene rather than software flaws. Many instances self-announced internal structures via mDNS, providing attackers with reconnaissance data without active probing. A dedicated honeypot with 25 open ports suggested early attacker interest, while 635 accessible web control interfaces further expanded the attack surface. The combination of service advertisements, open directories, and credential leaks creates pre-authentication compromise risks, allowing adversaries to bypass authentication, hijack agent identities, or conduct phishing and lateral movement attacks. The findings highlight systemic misconfigurations in Moltbot deployments, where operators often overlook mDNS implications and basic access controls.

FIN6 Exploits Cloud Infrastructure in Sophisticated HR-Targeted Phishing Campaign The financially motivated cybercrime group FIN6 (also known as Skeleton Spider) is leveraging fake job applications and trusted cloud services to target human resources (HR) professionals in a highly evasive social engineering campaign. Researchers at DomainTools uncovered the operation, which combines professional networking platforms like LinkedIn and Indeed with malware-hosted cloud infrastructure to bypass traditional security defenses. ### How the Attack Works 1. Initial Contact – Attackers pose as job seekers on professional platforms, engaging recruiters to build rapport before sending phishing emails with malicious links. 2. Fake Resume Sites – Domains mimicking real applicant names (e.g., bobbyweisman[.]com, ryanberardi[.]com) are registered via GoDaddy’s anonymous services and hosted on AWS EC2 or S3, blending into legitimate cloud traffic. 3. Sophisticated Evasion – The sites employ traffic filtering to distinguish targets from security researchers, checking IP reputation, geolocation, OS, and browser fingerprints. Only residential Windows users bypass CAPTCHA walls to receive malicious ZIP files containing the More_eggs backdoor. 4. Malware Deployment – More_eggs, a modular JavaScript backdoor, operates in memory to evade detection, enabling credential theft, command execution, and follow-on attacks, including ransomware deployment. ### Why HR is a Prime Target HR teams frequently interact with external contacts and handle unsolicited communications, making them vulnerable to social engineering. The campaign exploits this trust, using realistic job lures to bypass email filters and endpoint security. FIN6’s shift from point-of-sale (POS) breaches to enterprise ransomware underscores its evolution toward higher-value targets. ### Cloud Abuse & Detection Challenges Attackers favor AWS and other cloud platforms due to: - Low-cost setup (free-tier abuse or compromised billing accounts). - Trusted IP ranges that evade enterprise network filters. - Scalability for hosting malicious infrastructure. The campaign highlights gaps in perimeter-based security, as traditional defenses struggle to detect threats embedded in legitimate cloud services. Security teams are advised to monitor for unusual traffic patterns and suspicious file types linked to cloud-hosted malware. ### AWS Response & Broader Implications An AWS spokesperson stated the company enforces terms prohibiting illegal use and acts swiftly on abuse reports. However, the incident raises questions about balancing cloud accessibility with security controls, particularly as threat actors increasingly exploit trusted infrastructure. FIN6’s operation demonstrates how low-complexity phishing, when paired with cloud evasion techniques, can outmaneuver even advanced detection tools—reinforcing the need for holistic security strategies that address both technical and human vulnerabilities.

The ShinyHunters extortion group exploited compromised Drift OAuth tokens linked to Salesloft to steal over 1.5 billion Salesforce records from 760 companies. Attackers used social engineering and malicious OAuth apps to infiltrate Salesforce environments, exfiltrating massive CRM data—including 250M Account records, 579M Contact records, 171M Opportunity records, 60M User records, and 459M Case records. The breach originated from a GitHub repository compromise at Salesloft, where attackers used TruffleHog to extract secrets, including OAuth tokens for Drift and Drift Email, enabling unauthorized access to Salesforce-integrated systems.The stolen Case data was further mined for AWS keys, Snowflake tokens, and other credentials, facilitating deeper intrusions into victim networks. High-profile targets allegedly include Google, Cloudflare, Palo Alto Networks, Zscaler, Tenable, CyberArk, and others. The attackers demanded ransom payments to prevent data leaks, while also searching for additional secrets to expand their campaign. The FBI issued an advisory on the threat actors (UNC6040/6395), warning of ongoing risks. Salesforce advised customers to enforce MFA, least-privilege access, and stricter OAuth app management to mitigate exposure.