Connect with us

Hi, what are you looking for?


Cloud Security

Researchers Discover Dangerous Exposure of Sensitive Kubernetes Secrets

Researchers at Aqua call urgent attention to the public exposure of Kubernetes configuration secrets, warning that hundreds of organizations are vulnerable to this “ticking supply chain attack bomb.”

Researchers at Aqua Security are calling urgent attention to the public exposure of Kubernetes configuration secrets, warning that hundreds of organizations and open-source projects are vulnerable to this “ticking supply chain attack bomb.”

In a research paper, Aqua researchers Yakir Kadkoda and Assaf Morag said they found Kubernetes secrets in public repositories that allow access to sensitive environments in the Software Development Life Cycle (SDLC) and open a severe supply chain attack threat. 

“Among the companies were SAP’s Artifacts management system with over 95 million artifacts, two top blockchain companies, and various other fortune-500 companies.” 

These encoded Kubernetes configuration secrets were uploaded to public repositories,” the researchers warned.

Kubernetes secrets are essential for managing sensitive data within the open-source container orchestration environment. However, these are often stored unencrypted in the API server’s underlying datastore, making them vulnerable to attacks. 

The Aqua research team said it focused on two types of Kubernetes secrets — dockercfg and dockerconfigjson — that store credentials for accessing external registries and used GitHub’s API to identify instances where Kubernetes secrets were inadvertently uploaded to public repositories. 

“We uncovered hundreds of instances in public repositories, which underscored the severity of the issue, affecting private individuals, open-source projects, and large organizations alike,” the team said.

From the research paper:

Advertisement. Scroll to continue reading.

“We conducted a search using GitHub’s API to retrieve all entries containing .dockerconfigjson and .dockercfg. The initial query yielded over 8,000 results, prompting us to refine our search to include only those records that contained user and password values encoded in base64. This refinement led us to 438 records that potentially held valid credentials for registries. 

Out of these, 203 records, approximately 46%, contained valid credentials that provided access to the respective registries. In the majority of cases, these credentials allowed for both pulling and pushing privileges. Moreover, we often discovered private container images within most of these registries. We informed the relevant stakeholders about the exposed secrets and steps they should take to remediate the risk.”

The Aqua team said it found that many practitioners sometimes neglect to remove secrets from the files they commit to public repositories on GitHub, leaving sensitive information exposed. 

“[They are] merely a single base64 decode command away from being revealed as plaintext secrets,” the researchers warned.

In one case, the team said it discovered valid credentials for the Artifacts repository of SAP SE that provided access to more than 95 million artifacts, along with permissions for download and limited deploy operations. 

“The exposure of this Artifacts repository key represented a considerable security risk. The potential threats stemming from such access included the leakage of proprietary code, data breaches, and the risk of supply chain attacks, all of which could compromise the integrity of the organization and the security of its customers,” the company said.

Aqua said it also found secrets to the registries of two top-tier blockchain companies and valid Docker hub credentials  associated with 2,948 unique container images.

Related: ‘Secrets Sprawl’ Haunts Software Supply Chain Security

Related: Kubernetes Vulnerability Leads to Remote Code Execution

Related: PyPI Packages Found to Expose Thousands of Secrets

Related: Attackers Abuse Kubernetes RBAC to Deploy Persistent Backdoor

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.