The leaks have been collected by Tillie Kottmann, a developer and reverse engineer, from various sources and from their own hunting for misconfigured devops tools that offer access to source code… According to Bank Security, a researcher focused on banking threats and fraud, code from more than 50 companies is published in the repository…
Kottmann told BleepingComputer that they find hardcoded credentials in the easily-accessible code repositories, which they try to remove as best as they can… Kottmann also says that they comply with takedown requests and gladly provide information that would strengthen the security of a company’s infrastructure. One leak from Daimler AG corporation behind the Mercedes-Benz brand is no longer present in the repository. Another empty folder has Lenovo in its name. However, judging by the number of DMCA notices received (estimated at up to seven) and direct contact from legal or other representatives, many companies may not be aware of the leaks…
Reviewing some of the code leaked on Kottmann’s GitLab server revealed that some of the projects have been made public by their original developer or had been last updated a long time ago. Nevertheless, the developer told us that there are more companies with misconfigured devops tools exposing source code. Furthermore, they are exploring servers running SonarQube, an open-source platform for automated code auditing and static analysis to uncover bugs and security vulnerabilities.
Kottmann believes there are thousands of companies that expose proprietary code by failing to properly secure SonarQube installations.
Tom’s Guide considers it a serious breach:
Jake Moore, a security specialist at ESET, told Tom’s Guide: “Losing control of the source code on the internet is like handing the blueprints of a bank to robbers.
“This list will be viewed by cyber criminals far and wide looking for vulnerabilities as well as confidential information in a scarily short space of time.”