Nearly 200GB of source code from Samsung and the source code from Nvidia's latest DLSS technology has been published online by The Lapsus$ hacking group.

Internal source code being leaked online by adversaries is happening with alarming regularity in recent years. Only a few months have gone by since Twitch’s source code was leaked online which not only leaked income from the top streamers but as GitGuardian showed, also contain over 6,000 secret keys that attackers potentially could have used in further attacks.

GitGuardian scanned the leaked Samsung source code for sensitive information such as secrets and found that in the Samsung source code there were 6,695 secrets. This was during a scan that used over 350 individual detectors each looking for the specific characteristics of that specific type of secret which gives us reliably high accuracy results. In this case, we excluded results from generic high entropy detectors and generic password detectors as these can typically include false positives and therefore give inflated results. With that in mind, the true number of secrets could be much higher.

Token Name

# Found

Token Name

# Found

private key rsa


artifactory token


private key elliptic


sonarqube token


private key encrypted


company email password


private key generic


line messaging oauth2


base64 basic auth


slack webhook url


bearer token


salesforce oauth2


username password




base64 private key generic


github oauth app keys


google oauth2


ldap credentials assignment




kubernetes jwt


aws iam


splunk token


generic database assignment


mysql assignment attached port


github enterprise token


dropbox app credentials


google recaptcha


ibm platform api key


secret key in django config


mariadb assignment attached port


authentication tuple


postgres assignment attached port


basic auth string


wechat keys


private key dsa


username and password in ftp


fcm api key


Grand Total


Disclaimers. Usually, GitGuardian would validate keys found in a repository to remove false positives. Because of the ongoing investigations that will undoubtedly be going on, GitGuardian decided not to validate any keys as not to mislead the forensics teams. This means we cannot give a percentage of the keys which were valid at the time of the leak.

As you can see from the snapshot of the results, the 8 top results account for 90% of the findings and whilst these are still very sensitive, can be more challenging for an attacker to use as likely refer to internal systems. That leaves just over 600 authentication tokens which grant access to a huge range of different services and systems that an attacker could potentially use to move laterally into more systems.

“Of the more than 6,600 keys found in Samsung source code roughly 90% are for Samsung's internal services and infrastructure, whilst the other 10%, critically, could grant access to Samsung's external services or tools such as AWS, GitHub, artifactory and Google”  Mackenzie Jackson Developer Advocate GitGuardian

This is very much in line with what you would expect from a company of this size and actually is better than the average amount of secrets we generally find when a comparable organization does an initial scan. A recent report from GitGuardian showed in an organization with an average of 400 developers over 1,000 secrets are found within internal source code repositories (Source State of Secrets Sprawl 2022). If such secrets are leaked it could affect Samsung's ability to securely update phones, grant adversaries access to sensitive customer information or allow them to access Samsung's internal infrastructure with the potential of launching further attacks.

“These attacks are publicizing a problem many in the security industry have been sounding the alarm for, internal source code contains an increased amount of sensitive data yet remains a very leaky asset. Source code is widely accessible by developers throughout the company, backup onto different servers, stored on developers' local machines and even shared through internal documentation or messaging services. This makes it a very attractive target for adversaries which is why we are seeing a persistence in the frequency of these attacks are occurring”.  - Mackenzie Jackson Developer Advocate

On the Lapsus$ telegram channel, we can get a hint at how the hacking group is actually gaining access to these repositories sending out what is essentially a call to action from employees of large organizations to grant them access.

Lapsus telegram account showing call for employees
Lapsus telegram account showing call for employees

Unfortunately, I do not believe we are at the end of seeing attacks like this, the group now sharing polls, again through their telegram channel asking followers what source code should they leak next indicating many more leaks of internal source code are likely to come in the future.

Read more on why source code in internal repositories is such a problem in GitGuardian’s State of Secrets Sprawl Report