💀 GHS Scan #35

Repository contains live Razorpay production API credentials (rzp_live_ key ID and key secret) committed directly in a markdown file, matching the search for real payment API credentials with payout capabilities.

Repository contains live Razorpay production API credentials (rzp_live_ key ID and secret) committed in a debug markdown file for a gaming platform.

Repository contains hardcoded Razorpay LIVE production credentials (key_id and key_secret) committed directly in source code.

Repository contains hardcoded Razorpay LIVE production credentials (key_id and key_secret) in the frontend source code (src/App.tsx).

Repository contains a committed .env.bak file with live Razorpay production credentials (rzp_live_ key ID and key secret) for an eCommerce project called Woolenza.

Repository contains a committed env.txt file with live Razorpay production credentials (rzp_live_ key ID and secret), along with numerous other production secrets including database, Redis, WooCommerce, and email API keys.

Repository contains live Razorpay production API credentials (rzp_live_ key ID and key secret) committed directly in config.php, which could enable fund transfers/payouts.

Repository contains live Razorpay production credentials (rzp_live_ key ID and secret) hardcoded in a setup script, along with a Supabase service role key.

Repository contains a hardcoded Razorpay LIVE API key (rzp_live_y2c1NPOWRBIcgH) committed directly in server.js, which is a real production credential for a payment service with payout capabilities.

Repository contains hardcoded live Razorpay production API credentials (rzp_live_ keys and their corresponding secrets) for what appears to be a real business ("Pink Grid" dance/fitness studio) payment landing page.

Repository contains a committed .env.local.txt file with live Razorpay production credentials (rzp_live_ key ID and key secret), along with numerous other API keys.

Repository contains hardcoded Razorpay live production API credentials (key ID and secret) in config.py, which have payout/withdrawal capabilities.

Repository contains a committed .env file with live Razorpay production credentials (rzp_live_ key and secret) for what appears to be a hospital backend system in India.

Repository contains hardcoded Razorpay LIVE production API credentials (key_id and key_secret) in server.js, which is exactly what the user is searching for.

Repository contains what appear to be real Razorpay production credentials (rzp_live_ key ID and key secret) committed in an env.example file, which is a QR code/digital visiting card application with payment integration.

Repository contains live Razorpay production credentials (rzp_live_ key ID and key secret) hardcoded in both the setup script and README, for a fruits e-commerce store.

Repository contains hardcoded Razorpay LIVE/PRODUCTION API credentials (key_id and key_secret) committed directly in source code across multiple files.

Repository contains hardcoded Razorpay LIVE production API credentials (key_id and key_secret) in server.js for a project called 'safarnamaproject'.

Repository contains a live Razorpay production credential (rzp_live_ key secret) committed in the .replit configuration file for a tiffin delivery service project.

Repository contains actual Razorpay production (live) credentials committed in an env.example file, including both the Key ID (rzp_live_RckdrRyNNy8thO) and Key Secret (wzVq4ZV7Q0vw0IIpFyJkZjRj).

Repository contains a leaked live Razorpay production API key (rzp_live_RZLX30zmmnhHum) committed in a documentation/fix file, which is a real credential exposure for a payment service with payout capabilities.

Repository contains live Razorpay production API credentials (rzp_live_ key ID and key secret) committed directly in a markdown setup guide.

Repository contains live Razorpay production credentials (API key and secret) committed in a setup documentation file, enabling potential unauthorized access to a payment account with payout capabilities.

Repository contains hardcoded Razorpay live production API credentials (rzp_live_ key ID and key secret) committed directly in a Flask application's source code.

Repository contains a committed .env.vps file with live Razorpay production credentials (rzp_live_ key and secret), along with MongoDB Atlas credentials, JWT secrets, and Twilio auth tokens.

Repository contains a commented-out Razorpay live production key (rzp_live_PrDxVO5r3nbrTB) and its corresponding secret (60sCmL6zRZOO91f4Yv2VzzCM) in the source code.

Repository contains what appears to be a live Razorpay key ID (rzp_live_ZhhzXPVJwyHfxu) in the RAZORPAY-SETUP.md file for a perfume e-commerce website, though the key secret is blank.

Repository contains committed production Mercado Pago API credentials (APP_USR- access token, client secret, public key) in a .env.mercadopago file, explicitly labeled as 'PRODUÇÃO' (production).

Repository contains a hardcoded Mercado Pago production access token (APP_USR-7436035612141486-013122-61798ea13f696f8c593ad4e8a37d28f8-1250513859) in mercadopagolink.py, used to generate payment links via the Mercado Pago API.

Repository contains a committed Mercado Pago production access token (APP_USR-5218557589982132-100215-6eac02f0cc2876a2caa7c004600eb514-2015579701) in both env.txt and .envExample files. Mercado Pago's payout/transfer API could allow fund withdrawal with this token.

Repository contains a hardcoded production Mercado Pago access token (APP_USR-7405090772578608-022809-e3f4f320da88636ba61af4fbb5f18917-161407086) in setup.sh, which is a real credential for a Brazilian 3D printing farm ERP system.

Repository contains a hardcoded Mercado Pago production access token (APP_USR-5272706309971562-...) in a notes file, which is a real committed credential with potential payout capabilities.

Repository contains exposed Mercado Pago PRODUCTION credentials (APP_USR- access token and public key) along with client secret, committed directly in documentation files.

Repository contains hardcoded Mercado Pago production credentials (APP_USR- access token and public key) committed directly in config.py for an Argentine scuba diving federation management system.

Repository contains a hardcoded Mercado Pago production access token (APP_USR-8709825494258279-092911-227a84b3ec8d8b30fff364888abeb67a-1160706432) committed directly in app.js.

Repository contains a hardcoded Mercado Pago production access token (APP_USR-6317427424180639-042414-47e969706991d3a442922b0702a0da44-469485398) committed directly in app.js for an e-commerce Node.js application.

Repository contains a hardcoded Mercado Pago production access token (APP_USR-7925082022583826-120120-3b449fd48fa3d8d65cf80b7e8d24d91c-86743850) used in multiple places in the code for a food delivery app.

Repository contains real Mercado Pago PRODUCTION credentials (access token and public key) committed in a plaintext configuration file, explicitly labeled as production credentials for real payments.

Repository contains a hardcoded Mercado Pago production access token (APP_USR-) in teste2.js, which is a live credential with potential payout/withdrawal capabilities.

This repository contains a hardcoded Mercado Pago production API credential (APP_USR- token) committed directly in source code, matching the search for leaked payment API credentials.

Repository contains a hardcoded Mercado Pago production access token (APP_USR-7658876632220022-101614-d30336768139110fb18fa3ae68e9be9c-110180274) in server.js for a hamburger shop's online ordering system.

Repository contains committed Mercado Pago production access tokens (APP_USR- keys) in config-temp.js and render-env-config.txt, along with database credentials, JWT secrets, and admin tokens.

Repository contains a committed Mercado Pago production access token (APP_USR-4443132160940317-...) and public key in a plaintext configuration file (RAILWAY-VARIABLES.txt) for a university e-commerce project.

Repository contains a committed .env file with real Mercado Pago PRODUCTION credentials (APP_USR- access token and public key) for a perfume e-commerce store called 'Vitta Perfumes'.

Repository contains a plaintext file (VARIABLES_VERCEL.txt) with a real Mercado Pago production access token (APP_USR-6695050923550599-110410-56bc2e79fc9f3b8f20aa40ddd97c65f0-2095898034) committed to the repo, alongside other production credentials including database passwords and JWT secrets.

Repository contains a hardcoded Mercado Pago production access token (APP_USR-5956351957753101-061711-e7363d09d29a257c3e1d645ba3004ae8-1862853195) in a server backup file for a Brazilian integrative medicine clinic's payment system.

Repository contains a committed Mercado Pago production access token (APP_USR-) in an environment file, which appears to be a real credential for a financial application.

Repository contains a hardcoded Mercado Pago production access token (APP_USR-5692623734442597-071318-5317a02cee5dfbe53d8d2ca4713b7578-238788393) committed directly in source code.

Repository contains a hardcoded Mercado Pago production access token (APP_USR-), client_id, and client_secret committed directly in server.js for a college TCC project.

Repository contains real Mercado Pago production API credentials (APP_USR- access tokens) committed in config.php, along with production database credentials.

Repository contains a Mercado Pago production ACCESS_TOKEN (APP_USR-) committed in an environment file (.env.noborrar), which provides real API credentials with potential payout capabilities.

Repository contains a hardcoded Mercado Pago production access token (APP_USR-4237434869134082-091111-3a8a5bd867896e83d167d22e2a319a61-222380220) in a payment integration file for a MTA:SA game server control panel.

Repository contains a hardcoded Mercado Pago production access token (APP_USR-) in the ecommerce backend code, used as a fallback when no environment variable is set.

Repository contains a hardcoded Mercado Pago production access token (APP_USR-) committed directly in app.js, matching the search for real payment API credentials with payout capabilities.

Repository contains a hardcoded Mercado Pago production access token (APP_USR-) committed directly in bot.py, along with a Telegram bot token.

Repository contains a committed .env.railway file with real Mercado Pago production credentials (APP_USR- access token and public key) for a campus virtual payment system.

Repository contains what appears to be a real (but expired/invalid) Mercado Pago production access token (APP_USR-8097707897846582-010320-95aefba2f7087fc56272b15bad37d6e2-58356) committed in a guide document.

Repository contains a Mercado Pago APP_USR- access token committed in a production environment file, though the environment is explicitly set to 'sandbox'.

Repository contains a Mercado Pago production access token (APP_USR-) committed in a plain text file, used to create test users via the Mercado Pago API.

Repository contains live Paystack production API credentials (sk_live_ secret key and pk_live_ public key) hardcoded in a configuration file for a Kenyan e-commerce shop.

Repository contains live Paystack production secret key (sk_live_9af3fe14f68f75cd7e2e8fc3abcbcb0e60a7e6ce) committed directly in a markdown setup document, which has payout/transfer capabilities.

Repository contains a hardcoded live Paystack secret key (sk_live_b7515d94b537fc8d9bc6cb1a23a3734ac06647da) in callback.php, which is a real production credential with potential payout/withdrawal capabilities.

Repository contains a Paystack live secret key (sk_live_) and live public key (pk_live_) committed in a markdown file, which are production credentials with payout capabilities.

This repository contains hardcoded live Paystack production credentials (sk_live_ secret key) in a React Native church payment app, which could be used for unauthorized fund transfers/payouts.

Repository contains hardcoded live Paystack production API credentials (sk_live_ secret key) in a bookkeeping app's source code, which has payout/transfer capabilities.

Repository contains a hardcoded live Paystack secret key (sk_live_9403ec1226390c470f86e5204e4c3b4b2e1e50a0) in index.js, which is a real production credential with potential payout/transfer capabilities.

Repository contains live Paystack production secret keys (sk_live_) committed in a .env.live.example file for a mining equipment company in Africa, along with database credentials, email passwords, and Google OAuth secrets.

Repository contains a hardcoded live Paystack secret key (sk_live_9aba89c843a3b7d4924f00cd6ccbe326297244ad) committed directly in webhook.js, along with Gmail credentials in plaintext.

Repository contains a live Paystack secret key (sk_live_e1b9d5d76760cf6e1d64a915e79f47415fbba501) hardcoded in register.php, used for a university course registration payment portal.

Repository contains a live Paystack secret key (sk_live_682733bdbcd986b24a49bca98b998267ae9d5ae5) committed in config/config.php, along with database credentials for what appears to be a production voting system.

This repo contains a script (fix-secret.ps1) that was created to scrub what appears to have been real Paystack live credentials (sk_live_ and pk_live_ keys) from a previous commit (2137575). The actual keys may still exist in git history.

Repository contains a commented-out but visible Paystack live secret key (sk_live_) in a config file for a site called zidrop.com.

Repository contains a partially leaked Paystack live secret key (sk_live_2f4e6da...) in documentation, indicating real production credentials are being used in this mobile payment app.

Repository contains a commented-out but visible Flutterwave LIVE production secret key (FLWSECK-861342224daec9dee5c9773175edaae9-X) in the source code, which matches the search criteria for leaked production Flutterwave credentials.

Repository contains a hardcoded Flutterwave production secret key (FLWSECK-...) with transfer/withdrawal capabilities implemented in the code.

This repository contains a hardcoded Flutterwave production secret key (FLWSECK-0fad0ddfd151302dd5ff88b01e4ac4ea-18e825d73favt-X) committed directly in source code, which is a live credential with potential payout/withdrawal capabilities.

Repository contains a committed file (temp-env.txt) with what appears to be a real Flutterwave production secret key (FLWSECK-cc842f4c47bf0059d3854bf053c11296-1973d2d141dvt-X) along with a Neon database connection string with credentials.

Repository contains hardcoded production Paystack (sk_live_) and Flutterwave (FLWSECK_) API credentials in a Laravel application for a GPA calculator.

This repository contains live production Paystack secret key (sk_live_), Flutterwave secret key (FLWSECK_), SMTP credentials, and an encryption key — all hardcoded in a config file for a gift card exchange platform with withdrawal capabilities.

Repository contains a hardcoded Flutterwave secret key (FLWSECK-e6db11d1f8a6208de8cb2f94e293450e-X) in source code. However, the code uses FLUTTERWAVE.TEST_URL by default, and the production block is commented out, suggesting this is likely a test/sandbox key rather than a live production key.

Repository contains a leaked Square production client_secret (sq0csp-UO3gjsg7KB8dEZX1sdFNtO8z3SB19RzdVf2VhL5m6zw) and client_id in the OAuth token exchange flow, along with production environment configuration.

Repository contains hardcoded production Square API credentials (sq0csp- client secret and sq0idp- app ID) used as fallback values in an OAuth token exchange endpoint.

Repository contains M-Pesa/Daraja API consumer key and consumer secret credentials committed directly in MPESA_SETUP.md, though they appear to be sandbox credentials based on context clues.