DEV Community: Zaim Abbasi The latest articles on DEV Community by Zaim Abbasi (@zaim_abbasi). https://dev.to/zaim_abbasi https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3372444%2F84da5dac-5bff-4247-84a5-568b8e648e8a.jpg DEV Community: Zaim Abbasi https://dev.to/zaim_abbasi en Claude, OpenAI, Google API Keys... All Public. This Is What I Found After Scanning GitHub at Scale Zaim Abbasi Sun, 20 Jul 2025 15:58:09 +0000 https://dev.to/zaim_abbasi/claude-openai-google-api-keys-all-public-this-is-what-i-found-after-scanning-github-at-scale-fj5 https://dev.to/zaim_abbasi/claude-openai-google-api-keys-all-public-this-is-what-i-found-after-scanning-github-at-scale-fj5 <p>Hey devs 👋<br> I'm Zaim – a backend engineer and student, currently diving deep into LLM security.</p> <p>A few weeks ago, I was just messing around with GitHub dorks.<br> You know... the usual:<br> filename:.env<br> "sk-" in files pushed last week<br> Stuff like that.</p> <p>What I didn’t expect was how many live API keys I’d find.</p> <p>I'm talking:<br> OpenAI keys (some still active 💀)<br> Claude / Anthropic keys<br> Google Cloud API tokens<br> and even internal test keys from private orgs that somehow made it into public repos.</p> <p>Some had been sitting there for weeks. No revokes. No alerts. Just… exposed.</p> <p>So I built a tool.<br> Out of curiosity (and lowkey horror), I spun up a crawler and scanner.<br> It now continuously monitors public GitHub in real time, flagging leaked keys from:<br> OpenAI<br> Claude / Anthropic<br> Gemini / Google<br> and more...</p> <p>It turned into a project I call API Radar.<br> It’s a public dashboard showing:</p> <p>✅ Real-time leaked API keys<br> ✅ Redacted + raw views<br> ✅ Security leaderboard<br> ✅ Filters by provider<br> ✅ Timeline of exposure</p> <p>What I’ve seen so far:<br> 📦 9,200+ public repos scanned<br> 🔑 250+ exposed API keys found<br> ⏱️ First leak spotted within 5 minutes of going live<br> 🌍 Keys from projects across Pakistan, US, EU, and more</p> <p>Some people are literally pushing .env files with live keys and leaving them for days.<br> Others try to hide them in random config folders, but GitHub’s search… doesn’t miss.</p> <p>Why it matters<br> If you’re in security, LLMs, or open source, this matters.<br> If you're a student, bug bounty hunter, or just curious — this is an underrated goldmine for learning how bad hygiene actually looks in the wild.</p> <p>It made me rethink how easy it is to mess up API key security — even for big teams.</p> <p>I’m not trying to sell anything here.<br> Just want to ask:</p> <p>Would this help you in CTFs / bug bounties / red teaming?<br> What else should I track or visualize?<br> Should I open the scanner as a public API too?</p> <p>Let me know — curious what the community thinks 🙌</p> infosec github apikeys cybersecurity