Despite the widespread availability of secret scanning tools, thousands of sensitive credentials continue to be exposed in popular open source ecosystems, a security blind spot that sparked my curiosity and one that led me to hunt for secrets in both commonly understood risk areas and find some new attack surface with some surprising results.

By looking into ecosystems that are hard to navigate I have helped secure over 40+ organisations including Microsoft, Adobe, Anthropic, MongoDB, Electronic Arts and more.

This talk will cover my process for investigating these ecosystems, results found and why this attack surface remains a risk for organisations and how you can find and remediate these yourself.