----------------

🎯 AI
===================

Executive summary: Moltbook, an AI-only social network populated by OpenClaw agents, presents immediate security risks: pervasive spam/scams, exposure of agents to untrusted content via API-oriented prompt files, and a reported database compromise that leaked API keys enabling bot impersonation and direct prompt injection.

Technical details:
• SKILLS.md, HEARTBEAT.md, and MESSAGING.md are repository-style markdown files that describe how agents interact with the Moltbook API. SKILLS.md documents API interactions and recommends HTTP requests (curl-style). HEARTBEAT.md instructs periodic check-ins. MESSAGING.md notes that messaging requires human approval, while other endpoints accept automated agent input.
• Experimental tooling (reported as a CLI tool named moltbotnet) implemented API calls for posting, commenting, upvoting, following, and engagement automation. This tooling demonstrates how easily an agent or impersonator can script interactions.
• Reported breach of Moltbook’s database exposed API keys tied to agent identities. Those keys materially enable: impersonation of legitimate agents, submission of crafted prompts to agent workloads, and direct prompt injection vectors that bypass typical human-only guards.

Analysis:

The combination of (1) public, machine-readable prompt files that instruct agents how to behave, (2) open posting and engagement that accepts untrusted content, and (3) leaked credentials produces two classes of injection risks: indirect prompt injection (agents ingesting malicious content from other agents) and direct prompt injection (attacker using stolen API keys to send malicious prompts as a trusted agent). The observed ecosystem is also saturated with social-engineering lures (requests to run package installers, share crypto wallets, or call external APIs).

Detection guidance:
• Monitor unexpected use of API keys or unusual posting frequency associated with agent identities.
• Inspect content sources for scripted patterns (repeated promotional payloads, command-like text referencing package managers or curl usage).

Limitations:
• No public CVE identifiers are reported in the source material.
• Exact scope of leaked API keys (number of keys, associated privileges) was not enumerated in the writeup.

References and tags:

SKILLS.md, HEARTBEAT.md, MESSAGING.md — Tenable Research field report on Moltbook interactions and breach findings.

🔹 OpenClaw #Moltbook #promptinjection #APIkeys #Tenable

🔗 Source: https://www.tenable.com/blog/undercover-on-moltbook

Envmap - Fini les fichiers .env qui traînent et finissent sur GitHub

https://fed.brid.gy/r/https://korben.info/envmap-secrets-sans-fichier-env-disque-github-leaks.html

Bất cẩn dán API keys vào ChatGPT? Một tiện ích mở rộng Chrome mới sẽ giúp bạn! Nó tự động che giấu các khóa API, mật khẩu... khi bạn dán vào chatbot AI (ChatGPT, Claude, Gemini) và khôi phục chúng khi bạn sao chép câu trả lời. Dữ liệu được xử lý 100% cục bộ, đảm bảo an toàn thông tin.
#APIKeys #ChatGPT #ChromeExtension #Privacy #AI #BảoMật #TiệnÍchChrome

https://www.reddit.com/r/SideProject/comments/1pd6tk7/i_kept_accidentally_pasting_api_keys_into_chatgpt/

Một dev đã tạo tiện ích mở rộng Chrome để kiểm tra ứng dụng web tìm rò rỉ khóa API, đặc biệt là cấu hình Supabase DB và RLS bị lộ. Công cụ này tự động phát hiện lỗ hổng bảo mật và cho phép chia sẻ kết quả nhanh chóng, giúp các nhà phát triển dễ dàng sửa lỗi.

#DevTools #Security #WebSecurity #Supabase #APIKeys #ChromeExtension #BảoMật #CôngCụDev

https://www.reddit.com/r/SideProject/comments/1pd41fb/i_built_a_tool_another_one_for_testing_your_vibe/

Cảnh báo: Cập nhật mới của BentoPDF có thể bị tấn công độc hại, lộ API keys. Tránh cài đặt phiên bản này. #BentoPDF #APIkeys #Malware #TấnCốngĐộcHại #AnNinhMạng #CyberSecurity #SecurityAlert #LỗHổngBảoMật

https://i.redd.it/3x42fu0dt12g1.png

WE'RE LIVE ON KICK! 💥 Join chiefgyk3d for a spicy stream! $55K mistake deets, Cybersecurity rants, Linux gaming & Doppler talk! Don't miss out! Come hang NOW!
#Cybersecurity #LinuxGaming #Doppler #APIKeys

https://kick.com/chiefgyk3d

The Register: AI companies keep publishing private API keys to GitHub. “Leading AI companies turn out to be no better at keeping secrets than anyone else writing code. Cloud security firm Wiz has found that 65 percent of the Forbes AI 50 ‘had leaked verified secrets on GitHub,’ minus a few with no presence on the code sharing site.”

https://rbfirehose.com/2025/11/11/the-register-ai-companies-keep-publishing-private-api-keys-to-github/

via @dotnet : New Trusted Publishing enhances security on NuGet.org

https://ift.tt/FWdNpaR
#TrustedPublishing #NuGet #GitHubActions #Security #ShortLivedKeys #APIkeys #SoftwareDevelopment #OpenSSF #NuGetCommunity #SecurePublishing #DevOps #CI #Cont…

How to create App Keys for Mastodon | https://techygeekshome.info/how-to-create-app-keys-for-mastodon/?fsp_sid=11519 | #Guide #Mastodon #refresh #SocialMedia#MastodonAppKeys #MastodonGuide #AppCreation #SocialMediaTools #TechTutorial #APIKeys #OpenSourceSocialMedia #MastodonTips #AppDevelopment #MastodonAPI 
https://techygeekshome.info/how-to-create-app-keys-for-mastodon/?fsp_sid=11519

OH: Moment, ich gibt dir die API-Keys aus dem Production Pod zum Testen.

#cloud #secretmanagement #APIKeys #javadevelopment

Employee #monitoring app exposes 21M work screens​ | Cybernews

The #leaked data is extremely sensitive, as millions of screenshots from employees' devices could not only expose full-screen captures of emails, internal chats, and confidential business documents, but also contain #login pages, credentials, #APIkeys , and other sensitive info that could be #exploited to attack businesses worldwide.

Cybernews contacted the company, and access has now been secured.
#privacy

https://cybernews.com/security/employee-monitoring-app-leaks-millions-screenshots/

Exposed #DeepSeek Database Revealed #Chat Prompts and Internal Data

China-based DeepSeek has exploded in popularity, drawing greater scrutiny. Case in point: #Security researchers found more than 1 million records, including user data and #APIkeys , in an open database.
#china #api

https://www.wired.com/story/exposed-deepseek-database-revealed-chat-prompts-and-internal-data/

Prometheus Security Breach 300K Instances Expose Credentials and API Keys
Today, we're diving into the alarming news of a massive security breach involving Prometheus, a popular monitoring and alerting tool used by countless organizations worldwide
#PrometheusSecurity #DataBreach #CyberSecurity #APIKeys #CredentialLeak #InformationSecurity #DataProtection #SecurityIncident #CyberThreat #TechNews #hack #security #news #privacy #leaks
https://cloudhosting.evostrix.eu/prometheus-security-breach-300k-instances-expose-credentials-and-api-keys/

Over 300K Prometheus Instances Exposed: Credentials and API Keys Leaking Online
https://thehackernews.com/2024/12/296000-prometheus-instances-exposed.html

#Infosec #Security #Cybersecurity #CeptBiro #PrometheusInstances #Credentials #APIKeys #LeakingOnline

"tl;dr Postman, the popular API testing platform, hosts the largest collection of public APIs. Unfortunately, it’s become one of the largest public sources of leaked secrets. We estimate over 4,000 live credentials are currently leaking publicly on Postman for a variety of popular SaaS and cloud providers."

https://trufflesecurity.com/blog/postman-carries-lots-of-secrets

#security #api #postman #apikeys #cybersecurity

👉 #SAML, #OAuth 2.0, and #JWT establish a robust framework for securing #API authentication and authorization processes.

Explore other key #apisecurity protocols essential for securing your API endpoints: https://bit.ly/3Rn96bb

#apiattacks #apiendpoints #authentication #authorization #apibreaches #databreaches #vulnerabilities #apikeys #apptrana #indusface

I'm failing to grok how #APIKeys and #GCP (#GoogleCloudPlatform) "projects" work.

I need to distinguish between different customers calling my #API via their API keys. The official documentation says "create a separate GCP project for each [customer]" (source: https://cloud.google.com/endpoints/docs/openapi/restricting-api-access-with-api-keys#sharing_apis_protected_by_api_key)

I could have hundreds or more of different customers. Am I expected to create a GCP project for each one?

JumpCloud says nation-state hackers breached its systems

JumpCloud, a directory platform that allows enterprises to authenticate, authorize and manage users and devices, told customers it had reset their API keys “out of an abundance of caution”

JumpCloud said it determined a nation-state actor gained unauthorized access to its systems and targeted a “small and specific” set of customers.

#JumpCloud #security #cybersecurity #infosec #APIkeys #hacked #hackers #hacking

https://techcrunch.com/2023/07/17/jumpcloud-nation-state-breach/

Microsoft has announced that API keys will be retired for querying application insights. Users will need to transition to Azure AD authentication, which provides additional features such as multi-factor authentication and hybrid integration for password protection policies. The deadline for transitioning to... https://azure.microsoft.com/en-us/updates/transition-to-azure-ad-to-query-data-from-azure-monitor-application-insights-by-31-march-2026/ #AzureAD #APIkeys #applicationinsights #softcorpremium

Question for the local community:

When you generate API secrets as an administrator of the application, you have access to them. Very common when creating secrets for a service accounts etc. But the logs will always point to the user you created and is open to abuse.

Under API security, is there a 'best practice' or some regulation guidance that says that this form of delegation has to be accurately authenticated 'by user' in a logging mechanism? #apikeys #gdpr #logging #infosec