Bitcoin 
Ethereum 
Tether 
XRP 
BNB 
Solana 
USDC 
TRON 
Lido Staked Ether 
Dogecoin 
Figure Heloc 
Cardano 
Bitcoin Cash 
Wrapped stETH 
WhiteBIT Coin 
Wrapped Beacon ETH 
Wrapped Bitcoin 
Wrapped eETH 
USDS 
Chainlink 
Binance Bridged USDT (BNB Smart Chain) 
Monero 
LEO Token 
WETH 
Stellar 
Coinbase Wrapped BTC 
Sui 
Ethena USDe 
Litecoin 
Zcash 
Avalanche 
Hyperliquid 
Shiba Inu 
Hedera 
Canton 
USDT0 
Dai 
World Liberty Financial 
sUSDS 
Toncoin 
Cronos 
Ethena Staked USDe 
PayPal USD 
Uniswap 
Polkadot 
USD1 
Mantle 
Rain 
MemeCore 
Bittensor 
Aave 
Pepe 
Bitget Token 
Tether Gold 
OKB 
NEAR Protocol 
Falcon USD 
Jito Staked SOL 
Ethereum Classic 
POL (ex-MATIC) 
Binance-Peg WETH 
Ethena 
Pi Network 
Internet Computer 
BlackRock USD Institutional Digital Liquidity Fund 
PAX Gold 
Aster 
HTX DAO 
Jupiter Perpetuals Liquidity Provider Token 
Worldcoin 
Circle USYC 
Global Dollar 
Binance Staked SOL 
KuCoin 
syrupUSDC 
Ripple USD 
Aptos 
Pump.fun 
Sky 
Wrapped BNB 
BFUSD 
Binance Bridged USDC (BNB Smart Chain) 
Provenance Blockchain 
Rocket Pool ETH 
Ondo 
Cosmos Hub 
Kaspa 
Render 
Arbitrum 
Algorand 
Gate 
Midnight 
Kelp DAO Restaked ETH 
Filecoin 
Quant 
Official Trump 
Bridged Wrapped Lido Staked Ether (Scroll) 
Function FBTC 
VeChain 
Lombard Staked BTC 
Solv Protocol BTC 
NEXO 
MYX Finance 
XDC Network 
Flare 
Bonk 
USDD 
Janus Henderson Anemoy AAA CLO Fund 
USDtb 
Mantle Staked Ether 
Liquid Staked ETH 
OUSG 
Sei 
Superstate Short Duration U.S. Government Securities Fund (USTB) 
WrappedM by M^0 
Pudgy Penguins 
Polygon Bridged USDC (Polygon PoS) 
Arbitrum Bridged WBTC (Arbitrum One) 
Stacks 
Morpho 
clBTC 
Ondo US Dollar Yield 
Virtuals Protocol 
Renzo Restaked ETH 
PancakeSwap 
Story 
Beldex 
Jupiter 
Jupiter Staked SOL 
USDai 
Lighter 
syrupUSDT 
Wrapped Flare 
Artificial Superintelligence Alliance 
L2 Standard Bridged WETH (Base) 
StakeWise Staked ETH 
Polygon PoS Bridged DAI (Polygon POS) 
Tezos 
Optimism 
Curve DAO 
Spiko EU T-Bills Money Market Fund 
Usual USD 
Kinetiq Staked HYPE 
Arbitrum Bridged WETH (Arbitrum One) 
c8ntinuum 
tBTC 
SPX6900 
Lido DAO 
Injective 
Chiliz 
FLOKI 
First Digital USD 
GHO 
TrueUSD 
GTETH 
Aerodrome Finance 
Ether.fi 
Celestia 
Fasttoken 
Dash 
Marinade Staked SOL 
Steakhouse USDC Morpho Vault 
Maple Finance 
Ether.Fi Liquid ETH 
The Graph 
Stader ETHx 
AB 
IOTA 
JasmyCoin 
Coinbase Wrapped Staked ETH 
Wrapped ApeCoin 
BitTorrent 
sBTC 
Starknet 
JUST 
USDB 
Staked Aave 
DoubleZero 
Ethereum Name Service 
Sun Token 
Conflux 
Pyth Network 
Bitcoin SV 
pippin 
dogwifhat 
Kaia 
Fartcoin 
Trust Wallet 
AINFT 
Gnosis 
Cap USD 
Wrapped STX (Velar) 
crvUSD 
EURC 
Binance-Peg Dogecoin 
Olympus 
Telcoin 
Avalanche Bridged BTC (Avalanche) 
Pendle 
Kinesis Gold 
Cybersecurity firm watchTowr has uncovered a trove of leaked passwords, access keys, and sensitive configuration files that were unintentionally exposed from popular online formatting tools, JSON formatter, and CodeBeautify.
watchTowr Labs said it collected a dataset containing more than 80,000 files from sites used to format and validate code. Within those files, researchers found usernames, passwords, repository authentication keys, Active Directory credentials, database connection strings, FTP credentials, cloud environment access keys, LDAP configuration details, helpdesk API keys, and even recordings of SSH sessions.
“We’ve been rifling through platforms that developers use to quickly format their input – like JSONFormatter and CodeBeautify. And yes, you are correct – it went exactly as badly as you might expect,” watchTowr’s blog post published on Tuesday.
Online utilities such as JSONFormatter and CodeBeautify are meant to beautify or validate data formats, where devs paste snippets of code or configuration files into them to troubleshoot formatting issues. But according to researchers, many employees are unknowingly pasting entire files that contain live secrets from production systems.
JSON and CodeBeautify leak data from government, banks, and healthcare
According to the security firm, the leaked data flaw has yet to affect three platforms, including GitHub repositories, Postman workspaces, and DockerHub containers. However, it found five years of historical content from JSONFormatter and one year of historical content from CodeBeautify, totaling more than 5 gigabytes of enriched and annotated JSON material.
“The popularity is so great that the sole developer behind these tools is fairly inspired – with a typical visit to any tool homepage triggering 500+ web requests pretty quickly to generate what we assume is some sweet, sweet affiliate marketing revenue,” the cybersecurity group explained.
watchTowr Labs said organizations from industries like national infrastructure, government agencies, major financial institutions, insurance companies, technology providers, retail firms, aerospace organizations, telecoms, hospitals, universities, travel businesses, and even cybersecurity vendors have all had their private information exposed.
“These tools are extremely popular, appearing near the top of search results for terms like ‘JSON beautify’ and ‘best place to paste secrets’ (probably, unproven), used by organizations and administrators in both enterprise environments and for personal projects,” Security researcher Jake Knott wrote in the blog post.
watchTowr Labs listed several categories of sensitive data found within the exposed files like Active Directory credentials, code repository authentication keys, database access details, LDAP configuration information, cloud environment keys, FTP login credentials, CI/CD pipeline keys, private keys, and full API requests and responses with sensitive parameters.
Investigators also mentioned Jenkins secrets, encrypted configuration files belonging to a cybersecurity firm, Know Your Customer information from banks, and AWS credentials belonging to a major financial exchange that were connected to Splunk systems.
watchTowr: Malicious actors are scraping the leaks
According to watchTowr Labs’ damage analysis, many of the leaked keys have been collected and tested by unknown parties. In an experiment, researchers uploaded fake AWS access keys to one of the formatting platforms, and in just under two days, malicious actors attempted to abuse the credentials.
“Mostly because someone is already exploiting it, and this is all really, really stupid,” Knott continued, “we don’t need more AI-driven agentic agent platforms; we need fewer critical organizations pasting credentials into random websites.”
JSONFormatter and CodeBeautify temporarily disabled their save functionality in September, when the security flaw was brought to their attention. JSONFormatter it was “working on to make it better,” while CodeBeautify said it was implementing new “enhanced NSFW (Not Safe For Work) content prevention measures.”
Security issue in HashiCorp’s Vault Terraform Provider
Away from the leaked credentials, the San Francisco-based IBM company HashiCorp found a vulnerability that could allow attackers to bypass authentication in its Vault Terraform Provider. The firm provides developers, businesses, and security organizations with cloud-computing infrastructure and protection services.
Per the software company’s findings shared on Tuesday, the Vault Terraform flaw affects versions v4.2.0 through v5.4.0 from an insecure default configuration in the LDAP authentication method.
The issue arises because the “deny_null_bind” parameter is set to false instead of true when the provider configures Vault’s LDAP authentication backend. The parameter determines if the Vault rejects a wrong password or unauthenticated binds.
If the connected LDAP server allows anonymous binds, attackers can authenticate and access accounts without any valid credentials.
