Over 10,000 Docker images on Docker Hub are leaking sensitive credentials, including API keys and cloud access tokens, according to security firm Flare. Many of these leaks originate from unmonitored developer accounts, putting critical infrastructure at risk. Even when developers remove secrets, the underlying credentials often remain active, leaving systems vulnerable.

The article announces the public beta of API keys, allowing users to create and manage keys for accessing an application's API. It includes features like scoped access, instant revocation, and optional expiration. Pricing will follow a usage-based model after the beta period.

Google Stitch now allows users to create and manage API keys within its settings, potentially enabling higher-resolution image generation using Gemini models. A new feature for auto-generating product requirements documents (PRD) is also in development to streamline the design-to-documentation process for product teams.

This article discusses the importance of sandboxing and using proxies to protect sensitive data when working with Claude Code. It highlights potential risks, such as API key exposure, and offers practical solutions for managing access and ensuring confidentiality.

This article introduces the new API key feature that lets users create and manage keys for accessing your application's API. It covers key functionalities like instant revocation, user and organization scoping, and programmatic management through the Backend SDK. Pricing will be usage-based after the beta period.

This article explains how to add multi-tenant API Key functionality to a SaaS platform using Clerk. It covers the setup process, key management, and how to secure backend routes while ensuring organization-level data isolation.

Moltbook, a social network for AI agents, suffered a major security breach due to a misconfigured Supabase database, exposing 1.5 million API keys and personal data of 17,000 human users. The incident highlights risks in quickly developed applications without adequate security measures.

Research reveals over 4,500 Clawdbot/Moltbot instances are publicly exposed, allowing attackers to extract sensitive data like API keys and WhatsApp session credentials. The vulnerabilities stem from insecure design, misconfigured dashboards, and excessive permissions. Immediate action is recommended for users to mitigate risks.

AWS provides guidance on securely implementing and managing Amazon Bedrock API keys, recommending the use of temporary security credentials via AWS STS whenever possible. It outlines best practices for using short-term and long-term API keys, including monitoring, protection strategies, and the importance of adhering to security policies through service control policies (SCPs).

AppSync does not natively support unauthenticated API calls, but there are three methods to implement them: using API keys, Lambda authorizers with shared secrets, or AWS IAM with Cognito Identity Pool. Each method has its pros and cons, including ease of setup, control over access, cost implications, and scalability concerns. A detailed comparison helps in choosing the best approach for unauthenticated GraphQL operations.

A small language model has been developed specifically for detecting sensitive information within code, enhancing security measures in software development. The model aims to improve the identification of secrets such as API keys and passwords, addressing a critical area in application security. By implementing this model, organizations can better protect their codebases from unauthorized access and data breaches.

Build React applications quickly using AI with the open-lovable project from the Firecrawl team. It provides a setup guide that includes cloning the repository, configuring necessary API keys, and running the application in a development environment. For a comprehensive cloud solution, users are directed to Lovable.dev.

A new cyber threat named GhostAction has been identified, targeting GitHub projects and stealing sensitive information such as API keys and secrets. The attack exploits vulnerabilities in software development practices, leading to potential data breaches and compromised projects for developers. Security experts urge developers to enhance their security measures to mitigate risks associated with these attacks.

Organizations often struggle with securely managing OpenAI API keys due to the risks associated with static keys. HashiCorp Vault's dynamic secrets plugin offers a solution by generating temporary, short-lived credentials that automatically expire, enhancing security and simplifying operations. This approach mitigates compliance concerns and operational challenges while promoting better AI integration practices.

AWS has introduced Amazon Bedrock API keys, which include long-term and short-term options for AI development. While these keys offer benefits such as being scoped to Bedrock services and monitored through CloudTrail, they also raise security concerns, particularly regarding IAM user creation and the potential for persistent access key misuse.

A critical vulnerability known as Agent Smith affects the Langsmith Prompt Hub, which could expose API keys and sensitive user data. Security experts warn that this flaw could lead to unauthorized access and data breaches if not addressed promptly. Users are urged to take immediate precautions to protect their information.

Secrets Ninja is a tool designed for validating API keys and credentials during pentesting and bug bounty hunting, featuring a user-friendly interface and support for multiple services. It allows users to test API keys, provides clear feedback, and can be easily extended with new modules. The tool emphasizes ethical use and compliance with applicable laws.