Campaign Statistics
A targeted sweep of Guatemala's government digital surface — public git repositories associated with .gob.gt domains — produced the following results. All data was retrieved from repositories that required no authentication to clone or browse.
The .env File That Couldn't Stop Itself
The Ministry of Agriculture (MAGA) runs Guatemala's national agricultural geoportal — a GeoServer-based platform hosting land use maps, irrigation boundaries, municipal zoning layers, and every other piece of geospatial data that informs agricultural policy across the country. When they built a chatbot proxy to answer questions about that data, they stored the configuration file in a git repository. Then they committed it publicly.
The file — .env at the root of geoportal.maga.gob.gt — begins with this comment:
IMPORTANTE: Este archivo NO debe committearse a git / Contiene credenciales sensibles del sistema
It was committed regardless. Inside: the GeoServer admin username and password, which grants full access to GeoServer's REST API. That means the ability to enumerate all published layers, download the complete geospatial dataset, create or delete stores, modify layer configurations, or publish new data under the Ministry of Agriculture's official infrastructure. Also in the file: a PostGIS database password, three variants of an OpenRouter AI API key (including two that were commented out but still present in history), a Hugging Face token, and an OpenWeatherMap API key.
GeoServer's REST API with admin credentials is not a read-only view into the data. It is the management plane. Whoever holds those credentials holds the map.
Critical Findings
GeoServer admin credentials (full REST API), PostGIS database credentials for geoserver_spatial, OpenRouter API key (3 instances), Hugging Face token, and OpenWeatherMap API key all present in a single .env file. The .env's own header comment explicitly forbids committing it to git.
Root-level MySQL credentials for internal server 172.16.1.92, exposing the sincyt (Sistema Nacional de Ciencia y Tecnologia) national research database. MongoDB developer credentials on the same host, JasperReports admin credentials, and a SECRET_TOKEN_KEY also committed. Internal IP address discloses partial SENACYT network topology.
High Severity Findings
The complete PHP source code for ONSEC's national civil service job competition platform — including database credentials for the ceo database (user casillero), civil service applicant workflow code, pension administration logic, and a CTS API connection layer — in a 364 MB public repository. ONSEC manages all competitive appointments across Guatemala's federal government.
docker-compose.yml committed to a public repository with default MySQL root credentials (root/root) for the SARTCA API database backing the human rights commission case management system.
The GeoServer Problem
GeoServer is not a passive data store. It is an active geospatial publishing platform with a REST API that can create, modify, and delete layers and data stores. The admin user holds the highest privilege tier: workspace management, security configuration, store creation, and bulk data export. The REST API endpoint /geoserver/rest/layers returns a full index of every layer the server hosts; /geoserver/rest/workspaces/{name}/datastores returns the connection parameters (including passwords) for every backend data store. Admin credentials are not just a key to the front door. They are a key to every door, and the lock combinations for each one.
Guatemala's agricultural geospatial infrastructure is not classified. But agricultural zoning maps, irrigation district boundaries, and land parcel overlays are the basis for land-use disputes, subsidy allocations, and infrastructure planning. The integrity of those layers matters. An actor with admin access to GeoServer could modify published data silently, in ways that might not be immediately detectable, affecting decisions made downstream by agencies and municipalities that pull from the same tile endpoints.
Targets Audited
Evidence Archive
Ministry of Agriculture chatbot proxy — .env with GeoServer admin, PostGIS, AI keys
National Science Council backend — root DB + MongoDB + JasperReports credentials
Civil Service employment portal — 364 MB full source with database credentials
Human rights commission API — docker-compose with default MySQL credentials
Complete credential inventory with remediation guidance
Methodology and Scope
All data in this report was collected through passive open-source intelligence (OSINT) methods. No credentials were used to authenticate to any system. No databases were accessed, read, or modified. No systems were exploited or disrupted. All git repositories were publicly accessible without authentication at the time of collection (2026-04-02).
Findings were collected, analyzed, and held pending disclosure review before publication. No raw credential values appear in this public-facing report. Full credential details are available in the CREDENTIALS-MASTER.md archive for verified researchers, journalists, and affected parties.