A notable increase in malicious scanning for exposed Git configuration files has been observed, posing significant risks of codebase theft and credential exposure for organizations around the globe.
Security researchers at GreyNoise Intelligence have documented a record spike in Git configuration crawling activity, with approximately 4,800 unique IP addresses targeting these sensitive files daily from April 20 to 21, 2025.
Unprecedented Scale of Crawling Activity
The latest wave of attacks represents the largest of four distinct spikes observed since September 2024.
.png
)
Previous surges typically involved around 3,000 unique IPs, making this latest campaign significantly more extensive.
“GreyNoise can confirm that 95% of all IPs engaged in this behavior in the past 90 days are malicious,” notes the security firm in its recent analysis.
The activity is being tracked under the GreyNoise Git Config Crawler tag, which identifies IPs scanning for sensitive Git configuration files.
Although the scanning activity is globally distributed, Singapore has emerged as the primary source and destination for these attacks, followed by the United States and Germany.
The malicious traffic originates from legitimate cloud infrastructure, with many IPs linked to providers including Cloudflare, Amazon, and DigitalOcean.
The geographic distribution shows clear patterns:
Top Source Countries:
- Singapore (4,933 unique IPs)
- United States (3,807 unique IPs)
- Germany (473 unique IPs)
Top Destination Countries:
- Singapore (8,265 unique IPs)
- United States (5,143 unique IPs)
- Germany (4,138 unique IPs)
Technical Impact and Security Risks
The attacks target .git/config files, which contain crucial repository information. When exposed, these files can reveal:
- Remote repository URLs (GitHub, GitLab).
- Branch structures and naming conventions.
- Internal development processes metadata.
More concerning is that successful attackers who gain access to a full .git directory can potentially reconstruct entire codebases, including commit history containing credentials and sensitive business logic.
A similar breach in 2024 resulted in the exposure of 15,000 credentials and led to 10,000 cloned private repositories.
The current campaign appears related to CVE-2021-23263, a vulnerability that has been tracked by security researchers since its publication in December 2021.
This association suggests attackers may be targeting systems that remain unpatched despite the vulnerability being known for years.
Recommendations
Security experts recommend several immediate steps to mitigate this threat:
- Ensure .git/ directories are not accessible via public web servers.
- Implement web server configurations that block access to hidden files and folders.
- Monitor logs for repeated requests to .git/config and similar paths.
- Rotate any credentials potentially exposed in the version control history.
The scale and sophistication of this campaign underscore the critical importance of securing source code management systems against increasingly targeted attacks.
Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
