frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

An exposed .git folder let us dox a phishing campaign

18•spirovskib•2h ago•7 comments

Ask HN: What Are You Working On? (Nov 2025)

460•david927•6d ago•1345 comments

Dismal reality of modern day corporate IT

6•pyeri•6h ago•2 comments

Ask HN: Where to Migrate as an IT Support/DevOps Engineer for Work?

3•shivajikobardan•6h ago•0 comments

Ask HN: How do you monitor the threads on HN you are engaging with?

5•spacemnstr42069•7h ago•4 comments

What is the most beautiful / highest quality code you've seen (or written)?

28•gooob•1d ago•15 comments

Ask HN: How to learn concurrency?

41•shivajikobardan•2d ago•18 comments

Ask HN: How does one stay motivated to grind through LeetCode?

85•blutoot•4d ago•105 comments

Ask HN: Is Computer Science still a good choice?

19•speedylight•1d ago•30 comments

Why is Apache still popular even as Nginx has proven its mettle on performance?

6•pyeri•23h ago•11 comments

Ask HN: How would you set up a child’s first Linux computer?

226•evolve2k•1w ago•299 comments

Ask HN: Anyone else hate the GitHub Android app

3•raffraffraff•1d ago•4 comments

Ask HN: Are Agents Just Hype?

7•spacemnstr42069•1d ago•8 comments

Ask HN: Could Microsoft replace its CEO with ChatGPT?

24•nothrowaways•3d ago•38 comments

Tell HN: X is opening any tweet link in a webview whether you press it or not

647•stillatit•1w ago•519 comments

Ask HN: Senior people, how did your career evolve?

84•Seb-C•4d ago•52 comments

Ask HN: Who is hiring? (November 2025)

400•whoishiring•1w ago•580 comments

Ask HN: My family business runs on a 1993-era text-based-UI (TUI). Anybody else?

317•urnicus•1w ago•309 comments

Ask HN: How common is banning Docker?

9•martypitt•1d ago•12 comments

Ask HN: Looking for a good course to learn proof assistant Lean 4

5•rabarbers•2d ago•3 comments

Why isn't everyone using Cerebras?

3•tghack•1d ago•1 comments

Ask HN: Interviewing currently (or recently)? how have interviews changed?

4•akudha•1d ago•1 comments

Ask HN: How do you get over the fear of sharing code?

75•sodokuwizard•6d ago•91 comments

The Lotus program analysis framework

2•cutelimination•2d ago•0 comments

Ask HN: How do you handle logging and evaluation when training ML models?

3•calepayson•1d ago•2 comments

You've reached the end!

Open in hackernews

An exposed .git folder let us dox a phishing campaign

18•spirovskib•2h ago
This past Friday afternoon, a member in our Discord server reported a phishing email pointing to a fake login page.

We took up to research it and because of clumsy decisions by the attacker we got their GitHub and their operational Telegram bot.

Screenshots: https://imgur.com/a/FTy4mrH

Sometimes the attacker incompetence can be a defender's best weapon ¯\_(ツ)_/¯

The phishing page was a standard clone of an "email", unbranded anf generic service. A bit of gobuster reconnaissance and we got the site's .git directory publicly accessible and listing its contents.

Inspecting of the requests also got us the first Telegram bot token. This is the digital equivalent of leaving the blueprints to your entire operation, including past versions and deleted files, lying on the front lawn.

We pulled the repository, found automated deployments and multiple fake pages with different hardcoded Telegram bot tokens and Chat IDs.

With the source code, repo and the active Telegram bot token, we filed detailed abuse reports:

- GitHub: We reported the repository containing the phishing kit's source code. It was taken down for violating TOS.

- Telegram: We reported the bot using the provided token and chat ID, leading to its removal.

- Hosting Provider: The malicious site was reported and taken offline.

Lesson learned? Never deploy a .git folder to production. Even if you are a criminal.

Acknowledgement: This was a collaborative effort by members of the BeyondMachines Discord community. The crowdsourced speed and collaboration helped us take this down very fast.

Comments

poly2it•1h ago
Could've traced the attacker for a bit before burning all bridges.
ekjhgkejhgk•54m ago
Sounds like they got off easy.
spirovskib•25m ago
They probably did. But it's a volunteer effort, we all contrinbute as much each individual's time permits.
ArcHound•41m ago
It is great that they got taken down. From my experience, these sites are usually parasites on misconfigured Wordpresseses.

We're you able to get the phishing data so that you can help the victims? Is it a good idea to try and do so?

Also, can you please share some bits of the phishing kit for easier detection?

Thank you for your efforts!

spirovskib•27m ago
Thanks for the kind words. We discussed whether to pull the data. We didn't for two reasons: 1. It's not trivial to process that data safely, and all the people in the server are volunteers that pitch in as much as they can. It won't be fair to burden them more. 2. The bots were posting to what appeared to be private or moderated channels. We didn't find an easy way in. Maybe there was a way in, but see item 1 above. So we went with "nuke it from orbit"
ArcHound•7m ago
Yeah, that's the problem, processing the data safely. I wouldn't want to do that either without a lawyer covering my back.
CGamesPlay•5m ago
What leads to the secret being stored in git's config file like that? None of my repositories have that, the remote URLs all just say "git@github.com:foo/bar.git".