Hi — I'm an independent security researcher (Lictor, https://lictor-ai.com).
While scanning public GitHub repositories, I found what looks like a live credential/secret committed to this repository. I'm intentionally NOT posting the file path or the value here, so I don't point anyone else at it.
Please:
- Rotate any API keys / tokens / secrets used in this project, and
- Remove them from the code and from git history (a secret stays in history even after you delete it from the latest commit — e.g.
git filter-repo or BFG).
I did not use, validate, or store the credential — only its location and a short redacted fingerprint, which I'm happy to share privately so you can find the exact one. Is there an email or security contact I can use?
Good-faith, detect-only. Thanks!
— Refael Jana (Raffa), Lictor (https://lictor-ai.com)
Hi — I'm an independent security researcher (Lictor, https://lictor-ai.com).
While scanning public GitHub repositories, I found what looks like a live credential/secret committed to this repository. I'm intentionally NOT posting the file path or the value here, so I don't point anyone else at it.
Please:
git filter-repoor BFG).I did not use, validate, or store the credential — only its location and a short redacted fingerprint, which I'm happy to share privately so you can find the exact one. Is there an email or security contact I can use?
Good-faith, detect-only. Thanks!
— Refael Jana (Raffa), Lictor (https://lictor-ai.com)