Categories: Cyber Security News

Spike in Git Config Crawling: 4,800+ IPs Targeting Exposed Repositories

A surge in internet-wide scanning for exposed Git configuration files has raised alarms among cybersecurity professionals, as data from GreyNoise reveals a dramatic spike in such activity on April 20-21, 2025.

The reconnaissance, while not inherently malicious, poses significant risks: when successful, it can expose internal codebases, developer workflows, and even sensitive credentials, leaving organizations vulnerable to further exploitation.

GreyNoise, which tracks scanning activity through its Git Config Crawler tag, recorded nearly 4,800 unique IP addresses daily during the April spike-substantially higher than the usual baseline.

The majority of these IPs have been classified as malicious, with 95% of all observed IPs in the past 90 days exhibiting hostile intent.

Notably, Singapore emerged as both the top source and destination for this traffic, followed by the United States and Germany.

The IPs involved are associated with major cloud infrastructure providers, including Cloudflare, Amazon, and DigitalOcean.

The recent spike is the fourth significant surge since September 2024, but by far the largest.

Previous spikes involved around 3,000 unique IPs each, underscoring an escalating trend in attempts to locate and exploit exposed Git configuration files.

Table of Contents

Toggle

Geographic Distribution of Git Config Crawling

Country	Unique Source IPs	Unique Destination IPs
Singapore	4,933	8,265
United States	3,807	5,143
Germany	473	4,138
United Kingdom	395	3,417
Netherlands	321	–
India	–	3,373

Why This Matters

Exposed Git configuration files can provide attackers with:

Remote repository URLs (e.g., GitHub, GitLab)
Branch structures and naming conventions
Metadata revealing internal development processes

If the entire .git directory is accessible, attackers may reconstruct the full codebase, including commit histories that could contain confidential information, credentials, or sensitive business logic.

In 2024, a similar breach led to the exposure of 15,000 credentials and the cloning of 10,000 private repositories.

Recommendations

To mitigate these risks, organizations should:

Ensure .git/ Directories are not accessible via public web servers
Block access to hidden files and folders in web server configurations
Monitor logs for repeated requests to .git/config and similar paths
Rotate any credentials exposed in the version control history

GreyNoise continues to monitor this evolving threat landscape.

For ongoing updates, readers are encouraged to subscribe to their blog.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates

The post Spike in Git Config Crawling: 4,800+ IPs Targeting Exposed Repositories appeared first on Cyber Security News.

Hackers Actively Scan Microsoft Remote Desktop Web Access from 1,000+ IPs

August 26, 2025

In "Cyber Security News"

1000+ Unique IPs Attacking Ivanti Connect Secure Systems to Exploit Vulnerabilities

A significant increase in suspicious scanning activity targeting Ivanti Connect Secure (ICS) and Ivanti Pulse Secure (IPS) VPN systems, signaling a potential coordinated reconnaissance effort by threat actors. The spike, registering more than 230 unique IP addresses probing ICS/IPS endpoints in a single day, represents a ninefold increase over the…

April 24, 2025

In "Cyber Security News"

Cloud Devices Under Attack: 251 Malicious IPs Exploit 75 Exposure Points

Highly coordinated cyberattack campaign involving 251 malicious IP addresses has been discovered targeting cloud-based infrastructure through 75 distinct vulnerability exploitation methods. The sophisticated operation, observed by GreyNoise on May 8, demonstrates the evolving tactics of threat actors who leverage temporary cloud infrastructure to conduct broad-spectrum reconnaissance and exploitation attempts against…

May 29, 2025

In "Cyber Security News"

rssfeeds-admin