A surge in internet-wide scanning for exposed Git configuration files has raised alarms among cybersecurity professionals, as data from GreyNoise reveals a dramatic spike in such activity on April 20-21, 2025.
The reconnaissance, while not inherently malicious, poses significant risks: when successful, it can expose internal codebases, developer workflows, and even sensitive credentials, leaving organizations vulnerable to further exploitation.
GreyNoise, which tracks scanning activity through its Git Config Crawler tag, recorded nearly 4,800 unique IP addresses daily during the April spike-substantially higher than the usual baseline.
The majority of these IPs have been classified as malicious, with 95% of all observed IPs in the past 90 days exhibiting hostile intent.
Notably, Singapore emerged as both the top source and destination for this traffic, followed by the United States and Germany.
The IPs involved are associated with major cloud infrastructure providers, including Cloudflare, Amazon, and DigitalOcean.
The recent spike is the fourth significant surge since September 2024, but by far the largest.
Previous spikes involved around 3,000 unique IPs each, underscoring an escalating trend in attempts to locate and exploit exposed Git configuration files.
Geographic Distribution of Git Config Crawling
| Country | Unique Source IPs | Unique Destination IPs |
|---|---|---|
| Singapore | 4,933 | 8,265 |
| United States | 3,807 | 5,143 |
| Germany | 473 | 4,138 |
| United Kingdom | 395 | 3,417 |
| Netherlands | 321 | – |
| India | – | 3,373 |
Why This Matters
Exposed Git configuration files can provide attackers with:
- Remote repository URLs (e.g., GitHub, GitLab)
- Branch structures and naming conventions
- Metadata revealing internal development processes
If the entire .git directory is accessible, attackers may reconstruct the full codebase, including commit histories that could contain confidential information, credentials, or sensitive business logic.
In 2024, a similar breach led to the exposure of 15,000 credentials and the cloning of 10,000 private repositories.
Recommendations
To mitigate these risks, organizations should:
- Ensure
.git/Directories are not accessible via public web servers - Block access to hidden files and folders in web server configurations
- Monitor logs for repeated requests to
.git/configand similar paths - Rotate any credentials exposed in the version control history
GreyNoise continues to monitor this evolving threat landscape.
For ongoing updates, readers are encouraged to subscribe to their blog.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The reconnaissance, while not inherently malicious, poses significant risks: when successful, it can expose internal codebases.){kind=link}