GitHub makes no apologies for blunders as deleted commits led to leak of secrets and $25,000 in bounties

White hat hacker Sharon Brizinov has shown in practice that GitHub never forgets: even after commits are removed via force push, sensitive data can remain in the system. He scanned the so-called dangling commits — fragments of history that no longer have links, but still exist — and found thousands of active secrets, including AWS tokens, Telegram Bot API keys, MongoDB, Postgres, and others. The most dangerous case is admin access to all repositories of the large Istio project, which is used by companies such as Google, IBM, and Red Hat. For the results of his research, he received $ 25,000 as part of the bug bounty program.

Brizinov scanned force push events from 2020 using an AI-generated tool he created (v0 Vercel) called “vibe coding.” Thanks to this, he found:

• 1 247 ключів MongoDB

• сотні TelegramBotTokens

• доступи до Postgres, Infura, OpenWeather, AWS

• GitHub PAT з адмін-рівнем доступу

More than half of the leaks were in .env, the rest in index.js, server.js, application.properties, and similar files. One of the most dangerous leaks was the GitHub PAT token from Istio, which allowed changing pipelines, pushing new commits, starting releases, or even deleting the entire project. This is a classic entry point for mass supply-chain attacks, as compromising such repositories affects thousands of dependent systems.

Dangling commits are commits that were overwritten during a force push, but still exist in the internal structure of Git. They are accessible via the GitHub Archive, Events API, or even through local history. Although it seems that the code is eliminated, in fact it continues to exist unless GitHub manually removes it or the user performs a full history audit. In 2024, GitGuardian discovered over 23 million hardcoded secrets, and this story only proves the scale of the problem.

This case is a reminder to all developers that the repository is not a place for tokens and keys. Even if you force push and hide the old version of the code, you haven’t erased it from history – it’s still there. And if the secrets aren’t revoked – they’re still active and can be used for attacks. Brizinov did his job for \$25,000, but another hacker could use those same tokens to hack the infrastructure.

What to do?

• After an accidental secret commit, immediately revoke tokens.
• Use .gitignore, but better yet, use a secret repository like Vault, Doppler, or AWS Secrets Manager.
• Regularly scan your repositories with Gitleaks, TruffleHog, or GitHub Secret Scanning.
• Consider implementing an automatic key rotation mechanism.