A Web3 quests platform shipped a production blockchain data provider API key in its public Next.js bundle, allowing any unauthenticated visitor to create and delete webhooks on the company's billed third-party account.
Feb 21, 2026A self-custody wallet provider's production telemetry exposed thousands of Bitcoin extended public keys to the open internet, enabling permanent wallet surveillance.
Feb 21, 2026Unauthenticated webhook endpoint allowed full-read SSRF. Cloud IMDS accessed via redirect bypass, 14 internal hosts mapped.
Feb 21, 2026Anonymous role had read/update/delete on 13 tables. 45,372 wallet addresses with trading volumes exposed.
Feb 21, 2026A P2P trading platform's internal executive dashboard endpoint required no authentication, exposing approximately $30M in crypto reserves, live business metrics, and user personal data.
Feb 21, 2026Dev server in production exposed 6.1MB database with admin credentials, API tokens, and GitHub PAT.
Feb 21, 2026A Layer 1 blockchain naming service used a curl-pipe-to-python installer and a tag-pinned checkout action in its smart contract test workflow, enabling CI runner code execution and forged test results on contract changes.
Feb 21, 2026A DeFi aggregator's portal exposed its feature toggle service's internal admin endpoints with no authentication, leaking 116 flags, the production token inventory, privileged staff IDs, and the compliance country list, with leaked IDs usable to unlock hidden features and flip payment routing.
Feb 21, 2026A cryptocurrency exchange decided sanctioned-country and country-specific asset restrictions based on a client-supplied forwarding header, allowing any unauthenticated visitor to flip the compliance decision with one line.
Feb 21, 2026A crypto exchange shipped working production API credentials inside a public sample script, granting private account read access and trading write actions.
Feb 21, 2026