Mick Grove
@micksmix.bsky.social
Interested in computer security. 🐕 friendly. Security at MongoDB. Formerly at Apple, AWS, other places.
brew install kingfisher
# Scan a single Shai-Hulud exfil repo
kingfisher scan --git-url github.com<org>/%3Chulud-rep...
kingfisher repo: github.com/mongodb/kingfisher
# Scan a single Shai-Hulud exfil repo
kingfisher scan --git-url github.com<org>/%3Chulud-rep...
kingfisher repo: github.com/mongodb/kingfisher
GitHub - mongodb/kingfisher: Kingfisher is a blazingly fast and highly accurate tool for secret detection and live validation across files, Git repos, GitHub, GitLab, Azure DevOps, BitBucket, Gitea, A...
Kingfisher is a blazingly fast and highly accurate tool for secret detection and live validation across files, Git repos, GitHub, GitLab, Azure DevOps, BitBucket, Gitea, AWS S3, Docker images, Jira...
github.com
November 26, 2025 at 9:14 PM
brew install kingfisher
# Scan a single Shai-Hulud exfil repo
kingfisher scan --git-url github.com<org>/%3Chulud-rep...
kingfisher repo: github.com/mongodb/kingfisher
# Scan a single Shai-Hulud exfil repo
kingfisher scan --git-url github.com<org>/%3Chulud-rep...
kingfisher repo: github.com/mongodb/kingfisher
Scan your repos and orgs with Kingfisher to detect _valid_ leaked creds:
# Enumerate and scan your whole org for any Shai-Hulud-created repos
KF_GITHUB_TOKEN=ghp_xxx \
kingfisher scan github --organization <your-org>
# Enumerate and scan your whole org for any Shai-Hulud-created repos
KF_GITHUB_TOKEN=ghp_xxx \
kingfisher scan github --organization <your-org>
November 26, 2025 at 9:14 PM
Scan your repos and orgs with Kingfisher to detect _valid_ leaked creds:
# Enumerate and scan your whole org for any Shai-Hulud-created repos
KF_GITHUB_TOKEN=ghp_xxx \
kingfisher scan github --organization <your-org>
# Enumerate and scan your whole org for any Shai-Hulud-created repos
KF_GITHUB_TOKEN=ghp_xxx \
kingfisher scan github --organization <your-org>
This allows defenders to actually recover the valid secrets Shai-Hulud exfiltrated so they can be identified and rotated quickly.
Most open-source scanners stop after a single Base64 decode and miss the data Shai-Hulud buries underneath.
Most open-source scanners stop after a single Base64 decode and miss the data Shai-Hulud buries underneath.
November 26, 2025 at 9:13 PM
This allows defenders to actually recover the valid secrets Shai-Hulud exfiltrated so they can be identified and rotated quickly.
Most open-source scanners stop after a single Base64 decode and miss the data Shai-Hulud buries underneath.
Most open-source scanners stop after a single Base64 decode and miss the data Shai-Hulud buries underneath.
I’ve always liked the Amazon “one way door vs two way door” analogy for this type of decision making:
m.youtube.com/watch?v=rxsd...
m.youtube.com/watch?v=rxsd...
Jeff Bezos explains one-way door decisions and two-way door decisions
YouTube video by Startup Archive
m.youtube.com
June 8, 2025 at 5:43 PM
I’ve always liked the Amazon “one way door vs two way door” analogy for this type of decision making:
m.youtube.com/watch?v=rxsd...
m.youtube.com/watch?v=rxsd...