Experts warn of ‘ticking bomb’ for supply chain attack

Experts from Aqua Security are calling for urgent attention to the public disclosure of Kubernetes configuration secrets.

According to recent research, experts are warning that hundreds of source code projects and organizations are vulnerable to “ticking supply chain bomb.”

Aqua analysts Yakir Kadkoda and Assaf Morag claim they found Kubernetes secrets in public repositories. They allow access to sensitive software development life cycle (SDLC) environments and pose a serious threat of supply chain attack.

Those affected include two leading blockchain firms and various other Fortune 500 companies that used the GitHub API to obtain all entries containing .dockerconfigjson and .dockercfg, which store credentials to access the container image registry.

Of the 438 records are at risk of containing valid registry credentials, 203 records (around 46%) contained valid registry credentials.

Of these, 93 passwords were manually set by individuals, as opposed to 345 computer-generated passwords. Moreover, almost 50% of the 93 passwords were considered weak. These included password, test123456, windows12, ChangeMe, and dockerhub.

According to the latest data from DefiLlama, cybercriminals stole $1 billion in 75 attacks in 2023. This is significantly less than in 2022, when hackers lost $3.2 billion in 60 incidents. Now attackers are committing small but frequent hacks. In just 11 of the 75 incidents recorded this year, cybercriminals stole more than $10 million, indicating that cybercriminals are committing smaller, more frequent thefts.