CISA Contractor Leaked `AWS GovCloud` Keys on GitHub

A public repo exposed high-privilege cloud and internal credentials. Treat secret scanning as a production control, not a checkbox.

[ KEY POINTS ]

The public Private-CISA repo exposed high-privilege AWS GovCloud credentials, plaintext passwords, tokens, and logs.
Default protections that block secret publishing appear to have been disabled; one bad repo setting can bypass the whole safety net.
Immediate takeaway: enforce secret scanning, pre-commit checks, and key rotation even on private or internal repos.

Originalnews.hada.io/topic?id=29689Read original →

// related

#0001
#0001Infra & SaaS RevenueCat Blog3 hours ago
`Google Play Billing Library` `9.0`, billing and console updates from I/O 2026
80radar
Google Play Billing LibraryAndroid billing library — Google Play in-app purchase integration
Billing, analytics, protection, and Play Console all moved at once. Android subscription code should be reviewed now, not after a build rejection.
- Play Billing Library 9.0.0 is a major version, so billing code deserves a compatibility pass before the next Android release.
- The update bundle includes AI, Play Console, analytics, and protection changes. Store operations are expanding beyond payment integration.
- RevenueCat coverage matters because it usually translates Google Play billing changes into SDK and migration impact.
- Apps with Android subscriptions should watch RevenueCat and Google timelines together. Late migration turns into release risk.
Source: www.revenuecat.com/blog/engineering/play-billing-v9/Read original →
FIG-0011:1
80radar
FIG-0011:1
#0002
#0002Infra & SaaS GeekNews4 hours ago
`FileBrowser Quantum`: Free Open-Source Self-Hosted Web File Manager
50radar
FileBrowser QuantumSelf-hosted file manager — stronger auth and directory ACLs
A self-hosted file UI adds serious auth and access-control layers beyond basic browsing. Useful when a small product needs internal asset/admin file handling without paying for another SaaS.
- Supports OIDC, LDAP, JWT, password plus 2FA, and proxy auth, so it can fit both simple admin panels and heavier internal setups.
- Directory-level permissions can be set by user or group. That is the real upgrade over a plain shared file browser.
- Runs on SQLite, keeping deployment lightweight. Good fit for a single VPS or sidecar service in an existing stack.
Source: news.hada.io/topic?id=29680Read original →
FIG-0021:1
50radar
FIG-0021:1
#0003
#0003Infra & SaaS GitHub Changelog11 hours ago
GitHub expands OIDC for `Dependabot` and code scanning private registries
50radar
Org-level private registry auth now covers two more artifact providers. Useful if your supply-chain checks already pull private packages; otherwise low urgency.
- Cloudsmith and Google Artifact Registry join org-level OIDC auth support for private registries, reducing long-lived secret handling.
- Coverage applies to Dependabot and code scanning, so dependency updates and security analysis can access private packages with the same auth model.
- Best fit is repos already using private artifacts. For public-package-only projects, this is a cleanup item, not a roadmap changer.
Source: github.blog/changelog/2026-05-19-expanded-oidc-support-fRead original →
FIG-0031:1
50radar
FIG-0031:1

CISA Contractor Leaked `AWS GovCloud` Keys on GitHub

// related

`Google Play Billing Library` `9.0`, billing and console updates from I/O 2026

`FileBrowser Quantum`: Free Open-Source Self-Hosted Web File Manager

GitHub expands OIDC for `Dependabot` and code scanning private registries