Campaign Statistics
A targeted sweep of Nigeria's government digital surface — public git repositories associated with .gov.ng and .ng domains — produced the following results. All data was retrieved from repositories that required no authentication to clone or browse.
The IPPIS Problem
IPPIS was introduced to solve Nigeria's ghost-worker problem: a prior system where thousands of non-existent employees were drawing salaries from the federal government. By centralizing payroll into a single system, IPPIS was meant to make the books clean. What it did not make clean was its git repository.
git clone https://registration.ippis.gov.ng/.git .
The repository cloned without credentials. Inside: the CodeIgniter PHP application managing the IPPIS registration portal, including admin/application/config/database.php with root credentials for the softalli_new_ippis database. The commented-out block in the same file makes the production credential reuse explicit: host regdb, user ippisuser, same password. One password. Federal payroll.
Then there is the second problem: adminer.php in the web root. Adminer is a single-file PHP database management interface — a complete web-based SQL console. On a government payroll system, with committed database credentials, the presence of adminer.php represents not just a credential leak but a ready-to-use attack surface.
IPPIS was introduced as a transparency measure. The git repository of its registration portal is the most transparent thing about it.
The Developer Who Never Left
NIMASA — the Nigerian Maritime Administration and Safety Agency — had a tiny repository: 8 kilobytes, just a .env and its example. But those 8 KB tell a complete story about what happens when a government agency outsources a system, the contractor deploys it, and no one ever goes back to clean the configuration.
The SENDER_EMAIL for NIMASA's personnel system is [email protected] — a personal Gmail address. The application's frontend URL points to https://pers-390labs.com.ng/ — the developer's own staging domain, not NIMASA's official infrastructure. The Mailgun domain for transactional email is api.rouzo.org — a third-party domain with no visible relationship to NIMASA. And the database name, perslabs_pers_nimasa, carries the contractor's own brand prefix.
This is the configuration of a system where the handoff between contractor and government was never completed, and the production credentials live in the developer's namespace rather than the agency's.
Critical Findings
Root database credentials for softalli_new_ippis committed alongside adminer.php — a web-based SQL console — in the production web root. The commented-out config reveals the production hostname (regdb) and production user (ippisuser) with the same password, confirming these are live production credentials for Nigeria's federal payroll database.
Production database credentials (perslabs_root on perslabs_pers_nimasa), Mailgun secret key, and Laravel APP_KEY committed to a public 8 KB repository. The configuration still points to a third-party contractor's Gmail, staging domain, and email relay — indicating an incomplete infrastructure handover from the developer to the agency.
Five credential types committed in a single .env: MySQL database credentials (lagosjud_live_user on lagosjud_main_db), SMTP email credentials for the judiciary's official address, OpenAI API key and organization ID, Stripe test key set, and Laravel APP_KEY. The OpenAI key is production-format and represents ongoing unauthorized billing risk until revoked.
High Severity Findings
Two separate database credential sets in a single .env: root credentials for a containerized database host (configdb), and an application-level set for the mande database via the HYELLA framework. Third-party developer domain (maybeachtech.com.ng) referenced in the production NWP_DOMAIN configuration.
AWS access key AKIAYD2MKTM4OPNOWQM4 (long-term AKIA-format credential) committed alongside its secret access key. The SQS queue URL reveals the AWS account ID (557968956216) in eu-west-2 region. AKIA-format keys have no automatic expiration and remain valid until manually revoked via the AWS console.
Targets Audited
Evidence Archive
Federal payroll system — 44 MB, database credentials, adminer.php present
Maritime agency personnel system — .env with DB, Mailgun, APP_KEY, contractor artifacts
Court auction platform — DB, email, OpenAI API key, Stripe, APP_KEY
Rivers State IRS payments — AWS AKIA credentials, SQS queue
Complete credential inventory with remediation guidance for all 47 domains
Methodology and Scope
All data in this report was collected through passive open-source intelligence (OSINT) methods. No credentials were used to authenticate to any system. No databases were accessed, read, or modified. No systems were exploited or disrupted. All git repositories were publicly accessible without authentication at the time of collection (2026-04-02).
Findings were collected, analyzed, and held pending disclosure review before publication. No raw credential values appear in this public-facing report. Full credential details are available in the CREDENTIALS-MASTER.md archive for verified researchers, journalists, and affected parties.