fatcousin
// reference investigation

novak-api-key-leak — git leak → cloud abuse chain

NovaPay ci-deploy-bot key committed to novak-payments-api, force-pushed but recoverable from reflog. Attacker cloned from 198.51.100.77, triggered secret scanning, then IAM escalation + Secrets Manager reads matching k8s export. Fully synthetic.

what this proves

  • all eight api-key-leak primary engines produce deterministic, fixture-locked output — verified by npm run check:flagship (280/280 fleet · 8 for this scenario).
  • every output is generated 100% locally in your browser — bundle the repo, export audit logs, never upload credentials.
  • deleted .env commit recoverable from reflog, force-push + secret scanning timeline, cloudtrail CreateAccessKey/AssumeRole/bulk GetSecretValue, iam escalation paths, and k8s secret material matching the git leak surface without sending evidence to a server.

primary engines locked to this fixture

build the case binder

runs all eight primary engines on the synthetic evidence zip and opens a self-contained html binder. uses the default binder renderer for api-key-leak — no upload.

runs all 8 primary engines locally on the synthetic evidence zip · opens a self-contained html binder · no upload

download the synthetic evidence

MIT-licensed, fully synthetic. includes repo bundle with reflog, github enterprise audit export, aws cloudtrail records, ci-deploy-bot iam policy, and k8s secrets export with matching base64 tokens.

download evidence zip →download goldens zip →run this kit in your browser →

built deterministically from scripts/fixtures/build-novak-api-key-leak.mjs. seed: novak-api-key-leak:v1.

methodology

main branch is clean — force-push hides the leak, not the reflog. recover the introducing commit first, then walk git forensics → github audit parser → github audit analyzer → cloudtrail deep → cloudtrail forensic → iam policy → escalation graph → k8s secrets decoder. attacker cloned from 198.51.100.77 before secret scanning fired. read the full API key leak / repo compromise guide →

after the playbook

run each primary locally — or export findings from the binder — then drop every csv/json into fatcousin-multi-tool-super-timeline-correlator. one timestamp-sorted timeline across reflog commit recovery, force-push window, cloudtrail key creation, iam escalation, and k8s secret match — still zero upload.

methodology articlekey leak playbookforensics home

synthetic scenario only · no real credentials · no real repos · grading rubric

ready