[FEATURED_IMAGE]
Defense Suppliers Tracked via Leaked Freight API Keys
If you think your secret supply routes are still secret, try telling that to the kid in Estonia who just mapped every F-35 spare part moving through Frankfurt because some logistics intern pasted a freight API key into a public GitHub repo. Welcome to today’s defense supply chain OSINT reality show—where military & defense contractors are the unwilling contestants and the prize is a full enemy kill-chain delivered on a silver platter.
Over the past twenty years I’ve broken into everything from three-letter agencies to mom-and-pop parts makers. The pattern never changes: the flashiest zero-days get the headlines, but the loudest compromises start with the dumbest mistakes—like shipping manifests that phone home to an unauthenticated REST endpoint. In this post we’ll walk through exactly how leaked freight API keys surface, how adversaries weaponize them, and how you can hunt them before the other guys do.
Why Freight APIs Are the Soft Underbelly
Global shipping runs on JSON. Maersk, DHL, DB Schenker, Toll, Kuehne+Nagel—every one of them exposes rich telemetry once you present the right Bearer token. That token is supposed to live inside a CI/CD vault. Instead it ends up in:
- Public code repositories (GitHub, GitLab, Bitbucket)
- Mobile app decompilations (yes, vendors ship internal keys in APKs)
- Swagger docs that get indexed by search engines
- Help-desk tickets that get mirrored to Zendesk portals with “public” visibility
Once the key leaks, the attacker gets real-time geolocation, weight, hazmat flags, customs references and—my personal favorite—“shipper references” that contain internal part numbers. Those part numbers map directly to defense contracts. Game over.
Real-World Blast Radius
Last spring a European red-team buddy pinged me about a logistics startup that bragged on LinkedIn about moving “classified rotorcraft components.” Thirty minutes later we had their API key via a GitHub dork that searched for client_secret inside YAML files. Two hours after that we had:
| Data Point | What We Found |
|---|---|
| Active Waybills | 1,847 |
| High-value military SKUs | 233 |
| Unique supplier CAGE codes | 41 |
| Countries transited | 19 |
Bottom line: we never touched a weapon system, yet we could predict which air base would receive parts on which day. Multiply that by every subcontractor who ships through commercial hubs and you see why adversaries love this vector.
Hunting for Leaked Keys – Step by Step
You do not need a $200k threat-intel platform to start. You need caffeine, regex, and the ability to stomach bad documentation.
- Dork smart: Use GitHub’s filename:.env freight or extension:yaml kuehne. Add client_secret or api_key to taste.
- Monitor package ecosystems: PyPI, NuGet and npm are littered with internal logistics SDKs that include hard-coded tokens. Run a weekly cron that diffs new uploads against your supplier watch-list.
- Scrape Swagger: Shodan http.title:swagger plus the carrier name finds dev portals that forgot authentication.
- Correlate CAGE codes: Once you have a key, query the Waybill shipper_reference field for any five-digit CAGE. Cross-reference with SAM.gov to identify prime contracts.
Need to scale? Feed discovered keys into Kindi. Our in-house AI will auto-enrich shipment routes, visualize supplier networks and alert your team when new keys pop—no manual spreadsheets, no analyst burnout.
From Keys to Intelligence – Mapping the Kill-Chain
Here is where most articles stop at “got the key, got the data.” That is useless unless you turn it into decision advantage.
1. Geofence Validation
If a classified radar pedestal leaves Fort Worth and the waybill shows a customs stop in Ankara, you have a diversion. Flag any route deviation > 200 NM outside the declared corridor.
2. Time-Series Anomaly
Adversaries probe manifests weeks before they act. Sudden spikes in API calls from new ASN blocks often precede physical interception attempts. Baseline your carriers’ traffic and alert on 2-sigma deviation.
3. Part-Number Clustering
Run Jaccard similarity on shipper references. If multiple subcontractors ship dissimilar items to the same forward stocking location within 72 h, you may be looking at a staged attack.
4. Social Confirmation
Cross-reference shipment dates with Facebook events near the destination air base. I have seen militia groups literally post “big plane day” selfies that align with heavy cargo arrivals. OSINT for Law Enforcement covers how to pivot from social posts to court-ready evidence.
Mitigations That Actually Work
Contractors love to throw “zero trust” around like pixie dust. Here is the non-marketing version:
- Rotate keys daily. If your freight vendor only supports quarterly rotation, change vendors.
- Use ephemeral OAuth. Bearer tokens should expire in minutes, not months.
- Split manifests. Never let a single API return part number, destination and weight in one call. Break it into role-based micro-services.
- Canary waybills. Inject fake shipments tied to Honeypot CAGE codes. Any API call against them equals compromise.
- Continuous OSINT monitoring. Automate the GitHub, Swagger and mobile app checks described above. Automated OSINT Investigations explains why manual hunting dies under scale.
Red-Team Exercise – Try It This Weekend
Enough theory. Here is your homework:
- Pick a defense supplier in your country.
- Search GitHub for their primary logistics partner plus the word token.
- Found a key? Great. Query the carrier’s /v1/shipments endpoint with it.
- Plot the lat/long of active waybills in Maltego.
- Export the graph and brief your CISO on how many subsystems you can geolocate.
If you can reach step 5 in under four hours, congratulations—you have just demonstrated why defense supply chain OSINT keeps three-letter officials awake at night.
Parting Shot
Twenty years ago we worried about bomber counts. Today we worry about YAML files. The battlefield is now the supply route, and the first shots are fired in GitHub commits. Hunt those keys before the other side hunts your cargo.
Want to strengthen your OSINT skills? Check out our free course
Check out our OSINT courses for hands-on training.
And explore Kindi — our AI-driven OSINT platform built for speed and precision.
FAQ
Q1: Are freight API keys really that exposed?
A: Yes. Over 1,100 unique keys were discovered on public GitHub in the last 12 months alone, many tied to Fortune 500 logistics providers.
Q2: What is the quickest win for defense suppliers?
A: Enforce daily key rotation and deploy canary waybills. Both take under a week to implement and immediately shrink attacker window.
Q3: How does Kindi differ from generic GitHub scanners?
A: Kindi fuses code repository data with shipment tracking, social signals and geospatial layers, giving analysts a finished intelligence picture, not just raw keys.
Q4: Which countries’ shipments are most at risk?
A: Routes transiting regions with limited customs oversight—Southeast Asia, Eastern Europe and the Horn of Africa—show the highest diversion attempts.
Q5: Can leaked keys be used for more than tracking?
A: Absolutely. Many freight APIs allow re-routing or re-labeling of cargo, enabling physical interception or malicious substitution.