An exposed .git folder let us dox a phishing campaign

A Friday phishing fail turned into community theater: a BeyondMachines Discord member flagged a fake login, and the crooks had left their code history wide open. Translation for non-nerds: they forgot to lock the folder that stores all their edits and notes. The crew peeked, found the source repo and a Telegram bot token (basically a password to control their bot), and filed reports to GitHub, Telegram, and the hosting company. Result: repo deleted, bot vaporized, site down. Receipts? screenshots.

But the comments stole the show. One camp wanted a longer chase: “Could’ve traced the attacker for a bit,” sighed poly2it, craving CSI vibes. A harsher chorus grumbled the crooks “got off easy,” demanding more consequences. ArcHound wrestled with ethics: can you help victims by retrieving stolen logins — and should you? They also begged for kit snippets to improve detection next time.

Meanwhile, the nerds chewed on how a secret ended up in config files, with CGamesPlay scratching their head. Jokes flew: “never deploy .git to production,” lots of eye-rolls, and memes about “leaving blueprints on the front lawn.” The crowd cheered the fast takedown powered by Discord teamwork, while arguing the big questions: chase vs. shut down, rescue victims vs. don’t touch stolen data, and publish clues vs. play it safe. Internet court is now in session.