Cloudflare Worker Credential Attacks

cloudflare workers security February 22, 2025

I recently was reviewing the error logs on a Cloudflare Worker that had only been active for a week and was surprised to see the extent of attacks occurring that were sniffing for leaked credentials. Let’s take a look at some of the URLs that were being accessed.

It should be noted that the attacks were not successful because we properly store our credentials in a secrets manager that is accessed at runtime, and we audit our code repositories for leaked credentials.

I suspect that you’ll quickly realize what these URLs have in common.

http://[worker path].workers.dev/.aws/config
http://[worker path].workers.dev/aws/credentials
http://[worker path].workers.dev/s3.js
http://[worker path].workers.dev/configs/routes.js
http://[worker path].workers.dev/settings.py
http://[worker path].workers.dev/server.js
http://[worker path].workers.dev/server-info.php
http://[worker path].workers.dev/app.js
http://[worker path].workers.dev/configs/routes-4aug.js
http://[worker path].workers.dev/config/storage.yml
http://[worker path].workers.dev/config/application.yml

… This goes on for another 140 URLs. The URLs were all accessed in a few minute window as to not tip off rate limiting. Furthermore, it appears that this credential sniffing is occurring every few days.

This should be a reminder to all of us to be careful about NEVER storing credentials or key URLs like database locations in code. It’s easy to do so in the heat of the moment thinking that you’ll remember to move them to a secrets manager later, but it will come back to haunt you.

I recommend frequently auditing your code repositories for any instances of credentials in code. If you don’t already have a tool of choice for this, there are a couple commercially-backed open source options that I recommend checking out to scan your repositories for leaked credentials:

Trufflehog Once installed, you can scan your repositories with the following command: (Note: Run this command from the parent directory of the repository you want to scan).

trufflehog -git file://<path to your repository>

Infisical secret scanner Once installed, you can scan your repositories with the following command:

infisical scan --verbose

Infisical also has a pre-commit hook that you can use to scan your code before you commit it.

infisical scan install --pre-commit-hook

Conclusion

The prevalence of automated credential scanning attacks, even on newly deployed workers, highlights the importance of proper credential management. Never store credentials in code. Use secrets managers and regularly audit your codebase for any accidentally committed sensitive information. Remember - it only takes one leaked credential to compromise your entire system.

Cheers 🥂