We're so happy to Open Source TruffleHog V3!

🔐 8,437 #GCP images. 147M files. 0 live secrets. ☁️ GCP’s strict image controls show clear results vs. #AWS & #Azure. 🔗 Full CloudQuarry report:

Think secrets are gone after a force push? Think again. 🔍We built Force Push Scanner to find secrets in dangling GitHub commits. 🙀Millions are still exposed. 🔗

🔍Accessing 15 million "Permanently deleted" commits at scale across GitHub. 🔗A guest post by Sharon Brizinov:

RT @InsecureNature: I asked @MayaKaczorowski (former Senior Director @github) about her thoughts about GitHub's identity system. Persona….

Accompanying blog (video has more detail).

Full 30 minute talk:.

Here's how to make LLM's self replicate. Embedding LLM's into traditional malware worms. Originally presented by @InsecureNature at @BSidesSF . 🧵👇👇👇

May your secrets be with you! #MayTheFourthBeWithYou #TruffleHog

RT @InsecureNature: Tomorrow I'll be speaking at @BSidesSF at 11:15am. The topic? . Aligning light weight AI models to become self replicat….

RT @TalBeerySec: The $64k Bounty: Automating secret extraction from GitHub to win $64K in bounties. Loved the way Sharon glued his @github….

RT @Resourcely: On episode 2 of Security Wisdom, @travismcpeak was joined by @InsecureNature of @trufflesec, where they covered crafting co….

🐷Want the latest on TruffleHog, security research, news, and events? 🔐. Stay up-to-date with our newsletter. 🔗 Sign up here:

🚨 Are LLMs teaching devs to hardcode API keys? 🔑.🔍Our research shows most AI coding assistants recommend insecure practices. Our on-demand webinar highlights the risks, their impact in IDEs like VS Code, & how to stay secure!. 📺 Watch now:

🚨 🚨 A quick word the:.⚫ TruffleHog Chrome Extension.⚫ TruffleHog burp plugin.From @InsecureNature

🔥 You can now add TruffleHog to Burp Suite!. 🌐 Install it directly from the BApp Store. 🔍Scan web traffic for live, verified credentials—active & exploitable. Because secrets don’t just leak in code… 😬. Big Thanks to @PortSwigger ! 🙌. 🔗

We scanned 400TB of DeepSeek’s training data & found:. 🚨 ~12K live API keys & passwords .🌐 2.76M affected pages.🔄 One key appeared 57K+ times.🔑 219 secret types (AWS root keys, Slack webhooks, etc.).🔗 Full research:

Removing Jeff Bezos from my bed -. Do you expect to find an AWS key in your bed?. We found one, and we removed it. We’re sleeping great now. 🔗

🔍Webinar: Are LLMs teaching devs to hardcode API keys?. 🔑 We tested 10 LLMs & most recommend hardcoding credentials, even in tools like VS Code & ChatGPT. 📅 Join us on 2/20 to learn more about the risks & how to stay secure:

🐷 Under the Hood of TruffleHog!. ⚡ Part 1 of 2: How Aho-Corasick + CPU optimizations deliver 11-17% faster scans with precomputed keyword matching. 🚀. 👉

🚨 Today we are announcing a new Oauth bug that affects millions of accounts. TLDR: Google’s OAuth login doesn’t protect against someone purchasing a failed startup’s domain and using it to re-create email accounts for former employees. 👇 full blog 👇👇.