
An exposed .git directory on the Institute of Chartered Accountants of India's Board of Studies portal allegedly allowed threat actors to reconstruct source code, execute remote commands, and exfiltrate over 1.5 million CA student records, exposing PII to underground forums.


Identify exposed public .git directory
Reconstruct application source code offline
Examine code for hardcoded DB credentials & APIs
Exploit identified code flaws for RCE & superadmin control
Extract 1.5M student records from database
Actor 'zowico' claims RCE on examiners.icaiexam.icai.org and leaks 120 MB database.
Reports emerge of exposed .git directory and leak of 1.5M records on boslive.icai.org.
If your team may be exposed to a similar threat, FemtoSec can help validate blast radius, prioritize remediation, and connect the issue to a practical security program.
An alleged breach of the Meducar telemedicine platform in Argentina has exposed 3.2 million user records containing sensitive medical, personal, and religious data. Learn how security teams can validate API structures, secure AWS S3 cloud buckets, and implement tactical database containment steps.

June 19, 2026
A deep dive into the reported leak of 6 GB of PayXpress business data. Explore the implications for enterprise security and how to safeguard sensitive financial information.

Addressing the reported leak of 120 million records from Bet365 requires immediate assessment. We examine the security implications for users and enterprises.
Exposing a publicly accessible Git directory on an internet-facing production server provides adversaries with an immediate blueprint of an application's internal architecture, database schemas, and hardcoded authentication secrets. In the security incident affecting the Board of Studies (BoS) Knowledge Portal of the Institute of Chartered Accountants of India (ICAI), targeting the domain boslive.icai.org, threat actors allegedly capitalized on exactly this class of misconfiguration. By harvesting the metadata and history stored within an unsecured .git folder, the attackers could download the underlying application source code offline, analyze it for vulnerabilities, and eventually escalate their access to execute remote commands. This sequence ultimately culminated in the exfiltration and subsequent leakage of approximately 1.5 million CA student records on underground hacking forums.
Web-based Git directories are frequently left exposed due to continuous deployment pipeline oversights or web server misconfigurations. When developers deploy application updates directly from a Git repository to a production environment, they may unintentionally copy the hidden .git directory into the web server root. If the web server (such as Apache, Nginx, or IIS) is not configured to explicitly block access to hidden files and directories, the entire repository becomes indexable and downloadable by anyone who knows the target path.
A standard Git directory contains critical structural files, including the index file, the HEAD file, the refs directory, and the objects directory. The objects directory stores compressed versions of every file ever committed to the repository, alongside metadata and historical commit messages. Rather than downloading raw code directly, automated web crawlers search for public access to files like /.git/config or /.git/index. Once identified, tools can sequentially request every object hash referenced in the index, allowing the attacker to reconstruct a perfect, working clone of the application source code on their local machine.
The July 2026 data leak targeting the BoS Knowledge Portal represents a serious escalation in the threat landscape surrounding educational and professional association infrastructures in Southern Asia. Notably, this incident follows a previous security incident on June 14, 2026, targeting the ICAI Examiners Portal (examiners.icaiexam.icai.org). In that earlier campaign, a threat actor using the alias zowico claimed to have achieved remote code execution and superadmin control, subsequently publishing a 120 MB sample containing approximately 600,000 member records.
Although representatives from ICAI and their primary technology partners initially dismissed the June allegations as rumors targeting non-sensitive training environments, the consecutive July campaign highlights a persistent targeting pattern. The July compromise of boslive.icai.org exposed 1.5 million detailed student records, including full names, active email addresses, mobile phone numbers, dates of birth, category classifications, and physical addresses (both correspondence and permanent). This volume of sensitive data provides malicious actors with a wealth of material for highly targeted social engineering and identity theft operations.
Mitigating the risk of security misconfigurations like exposed repositories requires continuous, offensive verification. FemtoSec provides GCC enterprises with robust security assessments to proactively secure vulnerable web assets before attackers exploit them. Our comprehensive Penetration Testing services validate the security posture of your externally facing applications, APIs, and network environments to pinpoint and eliminate hidden architectural flaws.
Leveraging more than 15 years of cybersecurity experience and protecting over 50 leading enterprises across the GCC, FemtoSec delivers rapid, disruption-free security validation. If you suspect your domain information has already been exposed on underground repositories or hacking forums, we provide dedicated Dark Web Monitoring to continuously scan underground communities, telegram channels, and breach databases for your corporate identifiers. To begin securing your infrastructure, contact our technical team for a free initial consultation with no obligation; we respond within 24 hours via our Contact Page.
Once the application source code has been reconstructed offline, the threat actor's offensive options expand exponentially. Instead of performing blind, black-box testing against the production web application, the attacker can perform comprehensive white-box static code analysis. During this phase, they look for high-value targets within the code repository. For instance, database configuration files (such as web.config, settings.py, or .env files) often contain hardcoded credentials, database connection strings, API tokens, and session signing keys that developers failed to clean up before committing code.
Furthermore, having complete visibility into the application logic allows attackers to map out hidden administration endpoints, undocumented API routes, and parameter handling logic. In this specific campaign, analyzing the recovered code revealed structural flaws in the application, which the threat actors exploited to gain Remote Code Execution (RCE) and superadmin privileges over the underlying server. By executing system-level commands, the attackers successfully bypassed authentication checks and established persistent access to the database layer holding 1.5 million student records.
Organizations should continuously identify and remediate these exposures before external scanners do. Implementing proactive testing is critical; businesses can utilize Attack Surface Management to discover exposed folders, misconfigured subdomains, and unprotected development repositories before adversaries can exploit them.
For modern organizations and professional bodies, the exfiltration of 1.5 million records creates severe secondary security risks. When personal details, physical addresses, and active contact numbers are leaked, threat actors utilize this data to construct convincing spear-phishing templates, SMS-based phishing campaigns (smishing), and voice-based impersonation attacks (vishing). Because the database contains academic and professional category information, attackers can craft highly specific context-aware lures, posing as official examination boards or regulatory authorities to extract financial credentials or passwords from victims.
Additionally, the leaked database contains active corporate and personal email addresses that are quickly cross-referenced against other credential dumps. Threat actors perform automated credential stuffing and password spraying attacks against corporate networks using passwords recovered from unrelated historic breaches. If any of the compromised accounts belong to students or members who reuse credentials on their primary work systems, enterprise environments across various sectors can suffer lateral compromises.
Free exposure check
Dark Web Scanner
check dark web mentions, compromised account indicators, malware log signals, public breach exposure, and recent underground market activity for your domain.
Security operation centers can implement the following Splunk search query to quickly identify anomalous HTTP GET requests targeting hidden Git structures:
index=web_logs uri_path="*/.git/*" OR uri_path="*/.git"| stats count by src_ip, uri_path, status, user_agentThis query helps identify external entities attempting to download the Git configuration or index files. In a standard production environment, such requests should never occur and should be instantly blocked at the web application firewall (WAF) or web server level.
To detect potential Remote Code Execution stemming from source code exploitation, monitor the web server's host operating system for anomalous process spawning. For example, if a web server daemon (such as Nginx or IIS) spawns a command-line utility or PowerShell interface, it is a high-confidence indicator of active exploitation.
index=security event_id=1 parent_process_name IN ("w3wp.exe", "httpd.exe", "nginx.exe", "php-cgi.exe", "tomcat.exe") process_name IN ("cmd.exe", "powershell.exe", "bash", "sh")| table _time, host, parent_process_name, process_name, command_lineIf an exposed Git directory is discovered on a production system, security teams must assume that the entire application source code and all embedded credentials have been fully compromised. The following steps should be executed immediately:
Block Directory Access: Implement strict directory-blocking rules on the active web server configuration. For Nginx servers, add a configuration block to deny all access to .git folders:
location ~ /\.git {
deny all;
access_log off;
log_not_found off;
}For Apache web servers, utilize an .htaccess rewrite rule:
RedirectMatch 404 /\.(git|github|svn|hg)/Rotate All Credentials: Because credentials within historical commits must be treated as exposed, immediately rotate all database passwords, session signing keys, API tokens, and encryption secrets referenced anywhere in the source code history.
Conduct Web Root Audits: Scan the production web directory for unauthorized file modifications or newly created files (especially web shells with .php, .aspx, or .jsp extensions) written during the suspected compromise window.