A 2026 study by the Mysterium VPN research team found that nearly 5 million public web servers expose Git metadata, with 4.96M IPs having publicly accessible .git directories. The researchers also report that 252,733 .git/config files contained active deployment credentials, roughly 5% of those exposed, increasing the risk of credential theft and related breaches.
The United States, Germany and France topped the list of affected regions, with exposed metadata enabling potential source-code reconstruction, credential abuse, and cloud access. The report emphasises that misconfigurations persist due to deployment mistakes and servers not blocking these folders by default, turning small errors into significant breaches.
To mitigate, it recommends blocking public access to .git folders, keeping Git data out of production, rotating any leaked credentials, and applying secrets management, pre-commit checks, monitoring and rapid response plans.