Truffle Security

Claude (and other models) are hacking systems WITHOUT YOU ASKING. That’s what we found across dozens of experiments. When faced with innocent tasks that can only be accomplished via hacking, they often choose to hack. We found this alarming. What does this mean for the future of AI safety? 🚨🚨🚨 🔗trufflesecurity.com/blog/claude-tr…

Previously harmless Google API keys now expose Gemini AI data - @billtoulas bleepingcomputer.com/news/security/… bleepingcomputer.com/news/security/…

Google API keys didn't use to be considered "secret," so they're all over the web-- but now they are an open door to Gemini 🫠 Quick rundown video of Truffle Security's really nifty research, almost 3,000 websites exposed.. including Google themselves😅 🔗 youtu.be/XNMHUifKce8

shout out to the cool cats @trufflesec @InsecureNature @JoeLeonJr trufflesecurity.com/blog/google-ap…

🚨 Google told devs: API keys aren't secrets. Gemini changed that. 😱 We found ~3,000 public keys silently authenticating to Gemini - exposing private files, cached data & charging for LLM usage 💥Even Google's own keys were vulnerable. 🔗 trufflesecurity.com/blog/google-ap…

📢 Sponsor @trufflesec Long-lived AWS access keys are still a major cloud risk. 🚨@JoeLeonJr and cloud security expert Eduard Agavriloae break down #AWS key leaks - how attackers find them and what to do after exposure 🔐 🔗 trufflesecurity.com/webinars/where…

🚨New TruffleHog Detector Alert! 🐷TruffleHog now detects & verifies live JWTs signed with asymmetric public keys 🔒We found hundreds of live secrets for TruffleHog Enterprise customers within hours! 🔗 trufflesecurity.com/blog/truffleho…

4 years ago @InsecureNature called it: API worms were inevitable 🐛 💥Shai-Hulud is real-world proof they spread via leaked keys across SaaS & the damage is real ⚠️ This is only the beginning 🐷How they propagate + what to do next: trufflesecurity.com/blog/the-rise-…

🌟Part 2 from Security researcher Luke Marshall is live - the final in his series on Git platform secret exposure. Scanned ~5.6M public GitLab repos with TruffleHog 🐷 🔒 17K+ verified live secrets 💸 $9K+ in bounties 🔗trufflesecurity.com/blog/scanning-…

Security researcher Luke Marshall scanned every public Bitbucket repo (2.6M+) using TruffleHog 🐷 🔍Found 6,212 verified live secrets 💰 Made $10K+ in bug bounties Even uncovered an active #AWS key from 2013 😳 🔗trufflesecurity.com/blog/scanning-…

@addydaddymc @Omkumar_13 @Bugcrowd 👀 We'll see what we can do to get it down to milliseconds.

@Omkumar_13 @Bugcrowd Nothing crazy bro trufflehog can find it in seconds 😜

The worst feeling… my frustration is at its peak. Yesterday I reported 2 bugs and today both got marked duplicate — one by 45 sec, the other by 58 sec. And the best part? I reported both within 5 minutes of the program launching on @Bugcrowd. The level of competition is insane.

Might we have a word.

@cglendenning123 @ThePrimeagen Everything is Hog.

@ThePrimeagen This is optimized for ambiguity. Don't they know this exists? trufflesecurity.com/trufflehog

what is happening

Congrats to @trufflesec on raising $25M in #SeriesB #funding! 🎊With this round, Truffle will expand its detection, verification, and remediation solution and innovation in non-human identity (NHI) protection. Read more in @NickWashburn80 and Sunil Kurkure’s blog post: bit.ly/496daG2

🚀BIG NEWS! Truffle Security raised a $25M Series B led by @intelcapital & @a16z to accelerate making secrets easier to manage 🐷 Starting today - TruffleHog GCP Analyze maps leaked GCP secrets, their permissions & reach to remediate with confidence 🔗 trufflesecurity.com/press/series-b

🔒 We’ve been tackling #NHI since before it was NHI. 📷This post, from the pioneers of open-source secret scanning, breaks down what matters when it comes to secrets. 👉 trufflesecurity.com/blog/we-ve-bee…

⭐️Huge thanks to Adam Reiser of Cisco Talos for helping us harden TruffleHog! 🐷 We’ve updated TruffleHog, improving how untrusted Git repos are handled. 🙌Shoutout to the open-source community for making TruffleHog stronger! 👉trufflesecurity.com/blog/contribut…

⚠️ Supply chain attacks keep stacking up- Salesforce, S1ngularity/NX & more. ⚒️ The same tools attackers use to find secrets are the ones defenders need too. 🐷 That’s why threat intel groups recommend TruffleHog. 🔗 Learn why it shows up in your logs: trufflesecurity.com/blog/truffleho…

🚨Threat actors are targeting Salesforce instances to steal creds hidden in Case objects 🔍 Google Threat Intel advises scanning sensitive data (Cases, Accounts, Users, etc.) with 🐷TruffleHog before attackers do 🔗 trufflesecurity.com/blog/detecting…

🚨 Nx build system hit by a supply-chain attack (8/26). Infected NPM versions stole GitHub tokens, SSH keys, wallets & NPM tokens. ⚠️Later used (8/28–29) to flip private repos public. If you see repos like s1ngularity-repository, revoke tokens ASAP. 🔗stepsecurity.io/blog/supply-ch…