In recent developments, cybersecurity experts have identified a significant surge in malicious activities targeting exposed Git configuration files. This trend poses substantial risks, including unauthorized access to codebases and the potential exposure of sensitive credentials.
Unprecedented Surge in Malicious Scanning
Security analysts at GreyNoise Intelligence have reported a dramatic increase in scanning activities aimed at Git configuration files. Between April 20 and 21, 2025, approximately 4,800 unique IP addresses were observed engaging in such activities daily. This represents the most substantial spike since September 2024, with previous peaks involving around 3,000 unique IPs. Notably, 95% of these IPs have been identified as malicious.
Global Distribution of Attack Sources
The scanning activities are globally distributed, with Singapore emerging as the primary source and destination for these attacks, followed by the United States and Germany. The malicious traffic predominantly originates from legitimate cloud infrastructure, including providers such as Cloudflare, Amazon, and DigitalOcean.
Technical Implications and Security Risks
The primary target of these attacks is the `.git/config` file, which contains critical repository information. When exposed, this file can reveal:
– Remote repository URLs (e.g., GitHub, GitLab).
– Branch structures and naming conventions.
– Metadata related to internal development processes.
More alarmingly, if attackers gain access to the entire `.git` directory, they can reconstruct complete codebases, including commit histories that may contain credentials and sensitive business logic. A similar breach in 2024 led to the exposure of 15,000 credentials and the cloning of 10,000 private repositories.
Connection to Known Vulnerabilities
The current wave of attacks appears to be linked to CVE-2021-23263, a vulnerability that has been under scrutiny since its disclosure in December 2021. This suggests that attackers are exploiting systems that remain unpatched despite the availability of fixes for several years.
Recommended Mitigation Strategies
To counteract this escalating threat, security experts recommend the following measures:
– Restrict Public Access: Ensure that `.git/` directories are not accessible via public web servers.
– Configure Web Servers Appropriately: Implement configurations that block access to hidden files and directories.
– Monitor Server Logs: Regularly review logs for repeated requests to `.git/config` and similar paths.
– Credential Management: Rotate any credentials that may have been exposed in version control histories.
The scale and sophistication of these attacks underscore the critical importance of securing source code management systems against increasingly targeted threats.
