Exposure of Sensitive Credentials on Code Formatting Sites
Sensitive credentials, API keys, private keys, and configuration files have been exposed on widely used code formatting sites such as JSONFormatter and CodeBeautify. These platforms, intended for formatting and sharing code snippets, have inadvertently published thousands of secrets, making them accessible to unauthorized parties and increasing the risk of compromise for affected organizations and individuals.
Security researchers and news outlets have highlighted the scale of the exposure, warning that the leaked information could be exploited by threat actors for malicious purposes. The incident underscores the importance of exercising caution when sharing code online and the need for platforms to implement stronger safeguards to prevent the unintentional disclosure of sensitive data.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
18 events from the most recent confirmed update back to the earliest known activity.
Delta Dental of Virginia disclosed large data breach
Delta Dental of Virginia disclosed a data breach affecting a large number of individuals, according to the newsletter. The exact disclosure date is not specified in the provided content.
Harvard disclosed data breach
Harvard was reported to have disclosed a data breach. The newsletter summary does not include the number of affected individuals or a prior disclosure date.
OnSolve CodeRED emergency alert system hit by cyberattack
A cyberattack affecting the OnSolve CodeRED emergency alert system was disclosed in the roundup. The source summary does not provide additional timing details.
Multiple London councils suffered cyberattacks
The newsletter reported cyberattacks affecting multiple London councils. The summary does not identify a more specific incident date or individual council timelines.
ShadowPad attacks exploited patched WSUS RCE flaw CVE-2025-59287
Attackers using ShadowPad were reported exploiting a newly patched WSUS remote code execution vulnerability tracked as CVE-2025-59287. The event combines both the vulnerability context and observed post-patch exploitation activity.
Purelogs infostealer malspam campaign observed
A malspam campaign distributing the Purelogs infostealer was reported in the newsletter. No more precise timing is given for when the campaign began.
Spyware and RAT campaigns targeted WhatsApp and Signal users
Researchers reported spyware and remote access trojan activity aimed at users of WhatsApp and Signal. The newsletter characterizes this as a significant mobile and messaging threat trend.
Shai-Hulud 2.0 supply chain attack hit 25,000+ npm packages
A supply chain attack dubbed Shai-Hulud 2.0 was reported to have impacted more than 25,000 npm repositories. This marks a major software ecosystem compromise described in the roundup.
OpenAI user data exposed through Mixpanel cyberattack
The newsletter reported exposure of OpenAI user data as a result of a cyberattack involving Mixpanel. The summary does not specify when the attack or disclosure first occurred.
Asahi breach disclosed as affecting 2 million people
A data breach at Asahi was reported to have affected 2 million individuals. The roundup provides impact details but no earlier disclosure date.
ASUS patched critical AiCloud firmware vulnerability
ASUS released a patch for a critical vulnerability in AiCloud firmware. The newsletter notes the fix but does not provide the exact patch release date.
ShadowV2 Mirai variant exploiting IoT devices identified
Researchers reported a new Mirai variant called ShadowV2 that targets vulnerable IoT devices. The roundup describes it as an active malware development without a more specific discovery date.
French Soccer Federation data breach reported
A data breach affecting the French Soccer Federation was disclosed in the newsletter roundup. The summary does not include timing details beyond the publication date.
Tor Project prepared major encryption upgrade
The Tor Project was reported to be preparing a major encryption upgrade, signaling a significant planned security enhancement for the anonymity network. No separate event date is stated in the source summary.
Microsoft enhanced Defender for Office 365 against malicious invites
Microsoft updated Defender for Office 365 with protections intended to better detect or block malicious meeting invites. The summary presents this as a product security improvement without a more precise date.
HashJack attack targeting AI browsers and assistants reported
Security researchers identified a new 'HashJack' attack aimed at AI browsers and assistants. The report frames it as an emerging threat but does not specify when it was first observed.
Code formatting sites exposed sensitive credentials
Researchers reported that popular code formatting sites exposed sensitive credentials, highlighting risks from developer tooling and web services handling pasted code or secrets. No earlier date is given in the reference.
Gainsight-published Salesforce applications breach disclosed
A breach involving Salesforce applications published by Gainsight was reported, exposing a notable enterprise software security incident. The reference does not provide a more specific incident date, so the publication date is used as the estimate.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Mass Exposure of Credentials via Public Code Formatting Tools
Researchers from WatchTowr identified a significant security risk involving the public exposure of sensitive credentials and secrets through popular online code formatting tools, specifically JSONFormatter and CodeBeautify. These platforms, widely used by developers to format and share code, allow users to save their code snippets, which are then made accessible through a 'Recent Links' feature. Due to predictable URL structures and a lack of access controls, over 80,000 user pastes containing sensitive data—including Active Directory credentials, API keys, private keys, and configuration files—were found to be publicly accessible. The exposed data originated from organizations in critical sectors such as government, banking, healthcare, telecommunications, and cybersecurity. The WatchTowr team demonstrated the real-world risk by planting canary tokens in these services, which were quickly accessed and used by unknown parties, confirming that malicious actors are actively scraping these sources for credentials. The incident highlights the dangers of uploading sensitive information to third-party web services without proper security controls and underscores the need for organizations to educate staff about the risks of using public tools for handling confidential data. The findings have prompted calls for both improved platform security and greater user awareness to prevent similar exposures in the future.
Mar 21, 2026
Risks of Exposed Secrets and Weak Security in Public Web Repositories
Sensitive information such as passwords, API keys, and cloud credentials are frequently leaked in public code repositories like GitHub, often due to developer oversight. Attackers and automated bots actively monitor these repositories, quickly exploiting any exposed secrets to gain unauthorized access to systems and data, sometimes resulting in significant breaches. The prevalence of such leaks highlights a critical and ongoing risk for organizations that rely on public version control systems without robust security controls. Smaller websites are particularly vulnerable, as they often lack dedicated security teams, have limited budgets for penetration testing, and use outdated technologies or frameworks. These factors make them attractive targets for bug bounty hunters and malicious actors alike, who exploit logic flaws and misconfigurations. The client-server architecture of web applications further expands the attack surface, with vulnerabilities often hidden in the way requests and responses are handled, underscoring the importance of understanding web mechanics to identify and mitigate security risks effectively.
Mar 21, 2026
Researchers Find 1,748 Valid API Keys Exposed Across Public Websites
Researchers from Stanford University, the University of California, Davis, and TU Delft found **1,748 valid API credentials** exposed across roughly **10,000 public webpages** after analyzing about **10 million websites**, revealing a broad secret-leakage problem outside traditional code repositories. The credentials, identified with TruffleHog and detailed in the study *Keys on Doormats: Exposed API Credentials on the Web*, provided access to services including **AWS**, **GitHub**, **Stripe**, and **OpenAI**. The exposed secrets were tied to multinational corporations, critical infrastructure operators, government agencies, and at least one global bank. Most of the exposed credentials were embedded in **JavaScript** resources, often inside bundled files generated by tools such as Webpack, creating direct paths into cloud infrastructure, payment systems, and software repositories. Researchers said AWS keys made up more than **16%** of verified exposures, and cited cases including cloud credentials linked to a global bank’s core infrastructure and firmware repository credentials associated with drones and remote-controlled devices, raising the risk of malicious firmware updates. After responsible disclosure, the number of exposed credentials dropped by about half within two weeks, but the study found such secrets often remain publicly accessible for an average of **12 months** and sometimes for years.
Apr 2, 2026