Private key in plain sight in .env
Sensitive API keys and private keys were stored in environment files committed to version control, exposing critical secrets to anyone with repository access.
Description
Sensitive information, including API keys and private keys, was found stored directly in environment variables. Such files (e.g., .env) must never be committed to version control as this exposes critical secrets to potential compromise.
Impact
A malicious actor could retrieve the exposed private keys and use them to steal associated funds or access protected services.
Recommendation
All keys (both private and API) should be rotated immediately to invalidate any potentially exposed credentials. Additionally, include the .env file in .gitignore to prevent it from being pushed to the repository in the future.
Resolution
Nexalo: Fixed.
Zealynx: Private keys removed.
