Truffle Security

We're so happy to Open Source TruffleHog V3! youtu.be/AM3REzw1LDk

Removing Jeff Bezos from my bed - Do you expect to find an AWS key in your bed? We found one, and we removed it. We’re sleeping great now. 🔗trufflesecurity.com/blog/removing-…

🔐 8,437 #GCP images. 147M files. 0 live secrets. ☁️ GCP’s strict image controls show clear results vs. #AWS & #Azure. 🔗 Full CloudQuarry report: trufflesecurity.com/blog/guest-pos…

Think secrets are gone after a force push? Think again. 🔍We built Force Push Scanner to find secrets in dangling GitHub commits. 🙀Millions are still exposed. 🔗 trufflesecurity.com/blog/how-to-sc…

🔍Accessing 15 million "Permanently deleted" commits at scale across GitHub. 🔗A guest post by Sharon Brizinov: trufflesecurity.com/blog/guest-pos…

I asked @MayaKaczorowski (former Senior Director @github) about her thoughts about GitHub's identity system. Personally I think managing identity in GitHub is clear as mud.

May your secrets be with you! #MayTheFourthBeWithYou #TruffleHog

Tomorrow I'll be speaking at @BSidesSF at 11:15am. The topic? Aligning light weight AI models to become self replicating ransomware worms. Join me on the IMAX.

The $64k Bounty: Automating secret extraction from GitHub to win $64K in bounties. Loved the way Sharon glued his @github internals knowledge, existing tools (@trufflesec trufflehog), cloud and AI to automate at scale. medium.com/@sharon.brizin…

On episode 2 of Security Wisdom, @travismcpeak was joined by @InsecureNature of @trufflesec, where they covered crafting compelling security narratives. Get the full episode here: resourcely.io/post/security-…

🐷Want the latest on TruffleHog, security research, news, and events? 🔐 Stay up-to-date with our newsletter. 🔗 Sign up here: trufflesecurity.com/newsletter

🚨 Are LLMs teaching devs to hardcode API keys? 🔑 🔍Our research shows most AI coding assistants recommend insecure practices. Our on-demand webinar highlights the risks, their impact in IDEs like VS Code, & how to stay secure! 📺 Watch now: trufflesecurity.com/webinars/are-l…

🚨 🚨 A quick word the: ⚫ TruffleHog Chrome Extension ⚫ TruffleHog burp plugin From @InsecureNature

🔥 You can now add TruffleHog to Burp Suite! 🌐 Install it directly from the BApp Store 🔍Scan web traffic for live, verified credentials—active & exploitable Because secrets don’t just leak in code… 😬 Big Thanks to @PortSwigger ! 🙌 🔗trufflesecurity.com/blog/introduci…

We scanned 400TB of DeepSeek’s training data & found: 🚨 ~12K live API keys & passwords 🌐 2.76M affected pages 🔄 One key appeared 57K+ times 🔑 219 secret types (AWS root keys, Slack webhooks, etc.) 🔗 Full research: trufflesecurity.com/blog/research-…

🔍Webinar: Are LLMs teaching devs to hardcode API keys? 🔑 We tested 10 LLMs & most recommend hardcoding credentials, even in tools like VS Code & ChatGPT 📅 Join us on 2/20 to learn more about the risks & how to stay secure: trufflesecurity.com/webinars/are-l…

🐷 Under the Hood of TruffleHog! ⚡ Part 1 of 2: How Aho-Corasick + CPU optimizations deliver 11-17% faster scans with precomputed keyword matching. 🚀 👉 trufflesecurity.com/blog/under-the…

🚨 Today we are announcing a new Oauth bug that affects millions of accounts TLDR: Google’s OAuth login doesn’t protect against someone purchasing a failed startup’s domain and using it to re-create email accounts for former employees 👇 full blog 👇👇 trufflesecurity.com/blog/millions-…