Live AWS keys in 75 throwaway repos, each made public for one of five windows from 60 seconds to 12 hours, every use logged. The keys were tripwires; the real question was who notices a private repo going public, and what they do once they’re in.
The most useful finding is the dull one: re-hiding the repo does nothing. One busy harvester kept re-validating the captured keys for a day after the repos went private again. Only rotating the key stops it.
This came out of building a monitor for exactly these repo-setting changes.
It’s really not surprising that it’s so fast, since you can easily get newly created repos and repos made public from a github API (the “list public events” one at /events). Makes sense that people are polling this and feeding it to TruffleHog.
I guess the rather consistent 6 minutes don’t come from it actually taking so long but rather from some kind of caching that only makes these repos show up after 5 minutes plus 1 minute for fetching and using the api key.
The 6 minutes was the earliest contact, not the typical one. Most first hits came around 8 minutes. I agree there has to be something delaying repos showing up. I was expecting even 60 seconds of exposure to be enough to get caught.
That matches what I saw. One of the actors was a Hetzner host running TruffleHog, and the busiest was a harvester on two OVH IPs doing nothing but GetCallerIdentity checks. So yes, someone is polling the public events feed and scanning whatever shows up. The keys got found the moment the repo was visible to that feed.