嗯,用户让我帮忙总结一篇文章,控制在100字以内,而且不需要特定的开头。首先,我需要仔细阅读文章内容,抓住主要信息。 文章标题提到近500万台服务器暴露了Git元数据,研究揭示了代码和凭证泄露的广泛风险。里面提到Mysterium VPN的研究团队发现496万个IP暴露了.git目录,25万多个配置文件泄露了部署凭证。这些配置错误让攻击者可以重建源代码、窃取机密并获得直接访问权限。问题出在部署错误、隐藏文件公开以及服务器默认不阻止这些目录。受影响的地区主要是美国、德国和法国。暴露的元数据可能导致凭证被盗、恶意提交和云访问。 接下来,我需要把这些关键点浓缩到100字以内。要包括服务器数量、暴露的问题、影响以及解决方法。确保语言简洁明了,直接描述内容。 可能的结构是:研究发现近500万台服务器暴露Git元数据,其中25万台泄露部署凭证。这导致源代码和机密被窃取,甚至云访问。问题源于配置错误和隐藏文件公开。建议阻止公开访问、管理密钥等。 现在检查字数是否符合要求,并确保信息准确无误。 </think> 研究发现近500万台服务器暴露Git元数据,其中25万台泄露部署凭证,导致源代码和机密被盗风险增加。问题源于配置错误和隐藏文件公开,默认设置未阻止访问。建议采取措施阻止公开访问、管理密钥并快速响应漏洞。 2026-2-6 09:53:7 Author: securityaffairs.com(查看原文) 阅读量:0 收藏
Nearly 5 Million Web Servers Found Exposing Git Metadata – Study Reveals Widespread Risk of Code and Credential Leaks
Pierluigi Paganini
February 06, 2026
A study found nearly 5 million servers exposing Git metadata, with 250,000 leaking deployment credentials via .git/config files.
A new 2026 study by the Mysterium VPN research team reveals that nearly 5 million public web servers are exposing Git repository metadata — with over 250,000 of them exposing .git/config files containing deployment credentials.
Such misconfigurations let attackers reconstruct source code, steal secrets, and gain direct access. The issue persists due to deployment mistakes, hidden folders going live, and servers not blocking them by default, turning small errors into serious breaches.
Some key takeaways:
• 4.96M IPs were found with publicly accessible .git directories.
• 252,733 .git/config files contained active deployment credentials (~5%).
• The United States, Germany, and France topped the list of affected regions.
• Exposed metadata can lead to credential theft, malicious commits, and cloud access.
This is not just a technical oversight — it’s a widespread, internet-scale vulnerability affecting websites and organizations globally.
The study shows exposed Git servers are concentrated in major hosting hubs, led by the US, followed by Europe and APAC regions. Exposed .git folders enable source code theft, credential abuse, supply-chain attacks, internal mapping, and lateral moves into cloud and third-party services, often escalating a simple misconfiguration into a major breach.
Fixing exposed .git folders means blocking public access, keeping Git data out of production, and rotating any leaked credentials. Even a 5% credential exposure rate equals hundreds of thousands of usable secrets. Teams should prevent this with server rules, secrets management, pre-commit checks, monitoring, and rapid response plans.
“The findings highlight a widespread issue caused by deployment practices, inconsistent server configuration, and misplaced assumptions about safety. While the presence of exposed Git metadata alone is dangerous, the inclusion of credentials dramatically increases risk, enabling repository takeover, supply chain attacks, and access to cloud infrastructure.” concludes the report.
“The research underscores that even small percentages of credential exposure become severe at the internet scale and that attackers can automate discovery with ease.”
You can read the full write-up here:
https://www.mysteriumvpn.com/blog/news/git-metadata-leak
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Git Metadata)
如有侵权请联系:admin#unsafe.sh