A recent surge in cyber reconnaissance has put thousands of organizations at risk after GreyNoise, a global threat intelligence platform, detected an alarming spike in attempts to access sensitive Git configuration files.
Between April 20 and 21, GreyNoise observed the daily count of unique IPs targeting these files soar past 4,800-a record-breaking figure and a clear sign of intensifying interest from malicious actors.
CVE Spotlight: CVE-2021-23263
While this wave of activity is not tied to a newly discovered zero-day, threat researchers are warning that attackers could exploit known vulnerabilities like CVE-2021-23263 weakness in certain web server configurations that can inadvertently expose .git directories.
.png
)
If exploited, attackers can download the entire Git repository, including its configuration files, commit history, and sensitive credentials.
Malicious IPs and Regional Targeting
The vast majority-95%-of IPs engaged in this behavior in the past 90 days are categorized as malicious, emphasizing the critical threat facing exposed sites.
The activity is globally distributed but has a pronounced concentration in Asia. Singapore notably emerged as both the top source and destination for these scanning sessions, with the U.S. and Germany also featuring prominently.
Top Source Countries (Unique IPs):
- Singapore: 4,933
- U.S.: 3,807
- Germany: 473
- U.K.: 395
- Netherlands: 321
Top Destination Countries (Unique IPs):
- Singapore: 8,265
- U.S.: 5,143
- Germany: 4,138
- U.K.: 3,417
- India: 3,373
Many of these IPs are linked to major cloud infrastructure providers- Cloudflare, Amazon, and DigitalOcean- highlighting attackers’ use of scalable resources to amplify reconnaissance.
GreyNoise notes that this is the fourth and largest spike in Git configuration file crawling since September 2024, far surpassing previous surges involving about 3,000 unique IPs.
Each spike reveals shifting patterns in regional activity and illustrates the persistence and adaptability of threat actors.
Exposing a Git configuration file (or, worse, the entire .git/ directory) can reveal:
- Remote repository URLs (e.g., GitHub, GitLab)
- Branch structures and naming conventions
- Insider metadata about development processes
- Credentials embedded in commit history
This is no theoretical threat: In 2024, a similar misconfiguration led to the exposure of 15,000 credentials and the cloning of 10,000 private repositories.
To prevent such breaches:
- Ensure .git/ directories are not web-accessible.
- Block access to hidden files/folders in web server configs.
- Monitor server logs for repeated requests to .git/config.
- Immediately rotate any exposed credentials.
Blocking malicious IPs and closing these gaps should be a top priority for any organization relying on Git for source code management.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
