GreyNoise observed a significant increase in crawling activity targeting Git configuration files on April 20-21, 2025. While the crawling itself is reconnaissance, successful discovery of exposed Git configuration files can lead to exposure of internal codebases, developer workflows, and potentially sensitive credentials. This activity is tracked under the GreyNoise Git Config Crawler tag, which identifies IPs crawling the internet for sensitive Git configuration files. 

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

Majority of IPs are Malicious — Potential Regional Targeting

GreyNoise observed nearly 4,800 unique IP addresses daily from April 20-21, marking a substantial increase compared to typical levels. Although activity was globally distributed, Singapore ranked as both the top source and destination for sessions during this period, followed by the U.S. and Germany as the next most common destinations. 

Likewise, in the past 90 days by unique IP count, Singapore remains the top source and destination country for this activity. None of the IPs are spoofed, indicating the traffic originated from the IPs observed. GreyNoise can confirm that 95% of all IPs engaged in this behavior in the past 90 days are malicious.  

Top Source Countries:

  • Singapore (4,933 unique IPs)
  • U.S. (3,807 unique IPs)
  • Germany (473 unique IPs)
  • U.K. (395 unique IPs)
  • Netherlands (321 unique IPs)

Top Destination Countries: 

  • Singapore (8,265 unique IPs)
  • U.S. (5,143 unique IPs)
  • Germany (4,138 unique IPs)
  • U.K. (3,417 unique IPs)
  • India (3,373 unique IPs)

The IPs are linked to cloud infrastructure providers such as Cloudflare, Amazon, and DigitalOcean.

Four Spikes Since September — April the Largest Yet

Since September 2024, GreyNoise has observed four distinct spikes in Git configuration crawling activity, each involving approximately 3,000 unique IPs — with the April 20-21, 2025 spike marking the largest to date. 

The late February spike tells somewhat of a different story in terms of source and destination session traffic:

Top Source Countries:

  • Netherlands 
  • U.S. 
  • Germany

Top Destination Countries:

  • U.S.
  • U.K. 
  • Spain

Why It Matters

Git configuration files can reveal: 

  • Remote repository URLs (GitHub, GitLab)
  • Branch structures and naming conventions 
  • Metadata that provides insight into internal development processes

In some cases, if the full .git directory is also exposed, attackers may be able to reconstruct the entire codebase — including commit history, which may contain confidential information, credentials, or sensitive logic. 

In 2024, a Git configuration breach exposed 15,000 credentials and resulted in 10,000 cloned private repositories. 

Recommendations

To prevent this type of exposure: 

  • Ensure .git/ directories are not accessible via public web servers
  • Block access to hidden files and folders in web server configurations
  • Monitor logs for repeated requests to .git/config and similar paths
  • Rotate any credentials exposed in version control history

Related CVE:

CVE-2021-23263

GreyNoise will continue to monitor the situation and provide updates as necessary. To stay abreast of the latest developments, please navigate to the top of this page and subscribe to our blog. 

GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

— — — 

Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account