The Anatomy of a GitHub Secret Leak: From Commit to Compromise

How long does it take for a leaked AWS key on GitHub to be exploited? We measured it.

We planted canary AWS credentials in a public GitHub repository and measured time-to-exploitation. Within 47 seconds of the push, automated scanners had discovered the key. Within 4 minutes, the first API calls were made from an IP in Eastern Europe. This post details our honeypot methodology, the attack patterns we observed, and what this means for incident response timelines.