Nearly 200GB of source code from Samsung and the source code from Nvidia's latest DLSS technology has been published online by The Lapsus$ hacking group.

Internal source code being leaked online by adversaries is happening with alarming regularity in recent years. Only a few months have gone by since Twitch’s source code was leaked online which not only leaked income from the top streamers but as GitGuardian showed, also contain over 6,000 secret keys that attackers potentially could have used in further attacks.

GitGuardian scanned the leaked Samsung source code for sensitive information such as secrets and found that in the Samsung source code there were 6,695 secrets. This was during a scan that used over 350 individual detectors each looking for the specific characteristics of that specific type of secret which gives us reliably high accuracy results. In this case, we excluded results from generic high entropy detectors and generic password detectors as these can typically include false positives and therefore give inflated results. With that in mind, the true number of secrets could be much higher.


Token Name

# Found

Token Name

# Found



private key rsa

2408

artifactory token

26



private key elliptic

1062

sonarqube token

14



private key encrypted

744

company email password

12



private key generic

532

line messaging oauth2

10



base64 basic auth

495

slack webhook url

9



bearer token

378

salesforce oauth2

8



username password

231

googleaiza

6



base64 private key generic

174

github oauth app keys

3



google oauth2

115

ldap credentials assignment

2



googlecloud

81

kubernetes jwt

2



aws iam

80

splunk token

2



generic database assignment

76

mysql assignment attached port

1



github enterprise token

62

dropbox app credentials

1



google recaptcha

57

ibm platform api key

1



secret key in django config

53

mariadb assignment attached port

1



authentication tuple

52

postgres assignment attached port

1



basic auth string

35

wechat keys

1



private key dsa

32

username and password in ftp

1



fcm api key

27

Grand Total

6695



Disclaimers. Usually, GitGuardian would validate keys found in a repository to remove false positives. Because of the ongoing investigations that will undoubtedly be going on, GitGuardian decided not to validate any keys as not to mislead the forensics teams. This means we cannot give a percentage of the keys which were valid at the time of the leak.

As you can see from the snapshot of the results, the 8 top results account for 90% of the findings and whilst these are still very sensitive, can be more challenging for an attacker to use as likely refer to internal systems. That leaves just over 600 authentication tokens which grant access to a huge range of different services and systems that an attacker could potentially use to move laterally into more systems.

“Of the more than 6,600 keys found in Samsung source code roughly 90% are for Samsung's internal services and infrastructure, whilst the other 10%, critically, could grant access to Samsung's external services or tools such as AWS, GitHub, artifactory and Google”  Mackenzie Jackson Developer Advocate GitGuardian

This is very much in line with what you would expect from a company of this size and actually is better than the average amount of secrets we generally find when a comparable organization does an initial scan. A recent report from GitGuardian showed in an organization with an average of 400 developers over 1,000 secrets are found within internal source code repositories (Source State of Secrets Sprawl 2022). If such secrets are leaked it could affect Samsung's ability to securely update phones, grant adversaries access to sensitive customer information or allow them to access Samsung's internal infrastructure with the potential of launching further attacks.

“These attacks are publicizing a problem many in the security industry have been sounding the alarm for, internal source code contains an increased amount of sensitive data yet remains a very leaky asset. Source code is widely accessible by developers throughout the company, backup onto different servers, stored on developers' local machines and even shared through internal documentation or messaging services. This makes it a very attractive target for adversaries which is why we are seeing a persistence in the frequency of these attacks are occurring”.  - Mackenzie Jackson Developer Advocate

On the Lapsus$ telegram channel, we can get a hint at how the hacking group is actually gaining access to these repositories sending out what is essentially a call to action from employees of large organizations to grant them access.

Lapsus telegram account showing call for employees
Lapsus telegram account showing call for employees

Unfortunately, I do not believe we are at the end of seeing attacks like this, the group now sharing polls, again through their telegram channel asking followers what source code should they leak next indicating many more leaks of internal source code are likely to come in the future.


Read more on why source code in internal repositories is such a problem in GitGuardian’s State of Secrets Sprawl Report