Version control systems underpin modern software development, yet their underlying mechanics can quietly preserve sensitive data long after teams believe it has been removed. Across GitHub, GitLab and Bitbucket, dangling commits persist outside active branches, retaining credentials, API keys and proprietary configurations created during routine development actions such as resets, force pushes and file rewrites.

This session examines how these orphaned artifacts form, why they remain accessible within platform infrastructure, and how they can be systematically identified at scale. Large-scale analysis across major Git platforms reveals the true scope of secret exposure and highlights an often-overlooked attack surface.

In this session, led by Kumar Ashwin, technical manager for research and consulting at RedHunt Labs, you will learn:

• Why dangling commits materially increase attackers' effort asymmetry;
• Why large-scale secret scanning requires bespoke validation to reduce false positives;
• How temporal and behavioral signals expose systemic development risks.