In total, more than 150 types of leaks of confidential information were highlighted, including ordinary passwords, cryptographic keys, access to cloud services, continuous integration and APIs.
768 of the accounted data turned out to be valid at the time of the study. As an example of popular leaks that maintain relevance, access keys to Azure Active Directory, accounting data to SSH, Mongodb, MySQL and POSTGResQL, Github Oauth App, Dropbox and Auth0, entry parameters and Twilio.
From the most very gaining popularity of leaks, tokens are mentioned for access to Telegram bots, the number of which doubled in early 2021 and then again in the spring of 2023.
The constant increase in leaks of access to Google API has been recorded since 2020, and the accounting data for the DBMS since 2022. From packages leading in the number of leaks mentioned Chatllm packages and
Safire, in which 209 keys to Openai and 320 keys to Google Cloud were forgotten.
Among the files that are identified the largest number of leaks, in addition to files with the extension of “.py”, files with the extension .json (610), .MD (270), PKG-Info (240), Metadata (210), .txt (170), as well as Readme (209) files and catalog files with the name Test (675). Many leaks are also associated with oversight and errors with setting up the exclusion of files when forming packages. For example, files with local configuration files (. CookieCutterrc, .env, .pypirc, etc.) can be excluded from the GIT-referential through the. Gitignore file, but are not taken into account when creating a package. In particular, 43 .pypirc files containing accounting data for access to Pypi were found in the repository. In 15 cases of leaks, the developers did not plan to publicly place packages for internal use and published them in the PYPI by mistake.
You can additionally mention two more events associated with PYPI: