Where the Payroll Meets the Public

Nigeria's federal payroll system — the mechanism that pays every civil servant — had its production database credentials committed to a public git repository alongside adminer.php. The maritime agency, the Lagos judiciary, and the Rivers State Internal Revenue Service were also open. Forty-seven domains. No login required.

Views: ...

3 CRITICAL NIGERIA FEDERAL PAYROLL OSINT Investigation

Campaign Statistics

A targeted sweep of Nigeria's government digital surface — public git repositories associated with .gov.ng and .ng domains — produced the following results. All data was retrieved from repositories that required no authentication to clone or browse.

~800 MBEvidence Collected
47Domains Enumerated
3CRITICAL Findings
2HIGH Findings
1Federal Payroll System Exposed
1Adminer.php in Production
1AWS Access Key Committed
5Active Credential Sets

The IPPIS Problem

IPPIS was introduced to solve Nigeria's ghost-worker problem: a prior system where thousands of non-existent employees were drawing salaries from the federal government. By centralizing payroll into a single system, IPPIS was meant to make the books clean. What it did not make clean was its git repository.

git clone https://registration.ippis.gov.ng/.git .

The repository cloned without credentials. Inside: the CodeIgniter PHP application managing the IPPIS registration portal, including admin/application/config/database.php with root credentials for the softalli_new_ippis database. The commented-out block in the same file makes the production credential reuse explicit: host regdb, user ippisuser, same password. One password. Federal payroll.

Then there is the second problem: adminer.php in the web root. Adminer is a single-file PHP database management interface — a complete web-based SQL console. On a government payroll system, with committed database credentials, the presence of adminer.php represents not just a credential leak but a ready-to-use attack surface.

IPPIS was introduced as a transparency measure. The git repository of its registration portal is the most transparent thing about it.

The Developer Who Never Left

NIMASA — the Nigerian Maritime Administration and Safety Agency — had a tiny repository: 8 kilobytes, just a .env and its example. But those 8 KB tell a complete story about what happens when a government agency outsources a system, the contractor deploys it, and no one ever goes back to clean the configuration.

The SENDER_EMAIL for NIMASA's personnel system is [email protected] — a personal Gmail address. The application's frontend URL points to https://pers-390labs.com.ng/ — the developer's own staging domain, not NIMASA's official infrastructure. The Mailgun domain for transactional email is api.rouzo.org — a third-party domain with no visible relationship to NIMASA. And the database name, perslabs_pers_nimasa, carries the contractor's own brand prefix.

This is the configuration of a system where the handoff between contractor and government was never completed, and the production credentials live in the developer's namespace rather than the agency's.

Critical Findings

IPPIS Federal Payroll — Database Credentials + Adminer.php CRITICAL
Domain: registration.ippis.gov.ng System: Nigeria Integrated Payroll and Personnel Information System

Root database credentials for softalli_new_ippis committed alongside adminer.php — a web-based SQL console — in the production web root. The commented-out config reveals the production hostname (regdb) and production user (ippisuser) with the same password, confirming these are live production credentials for Nigeria's federal payroll database.

# database.php — admin/application/config/ 'hostname' => 'localhost', # dev 'username' => 'root', 'password' => '[redacted]', 'database' => 'softalli_new_ippis', # commented production config also present: # 'hostname' => 'regdb', # 'username' => 'ippisuser', # 'password' => '[redacted]', # same password # 'database' => 'softalli_new_ippis', # web root also contains: adminer.php
NIMASA Maritime Agency — Production Credentials in Contractor Namespace CRITICAL
Domain: nimasa.gov.ng System: Nigerian Maritime Administration and Safety Agency PERS personnel system

Production database credentials (perslabs_root on perslabs_pers_nimasa), Mailgun secret key, and Laravel APP_KEY committed to a public 8 KB repository. The configuration still points to a third-party contractor's Gmail, staging domain, and email relay — indicating an incomplete infrastructure handover from the developer to the agency.

APP_NAME=PERS DB_DATABASE=perslabs_pers_nimasa DB_USERNAME=perslabs_root DB_PASSWORD=[redacted] MAILGUN_SECRET=[redacted] MAILGUN_DOMAIN=api.rouzo.org [email protected] # personal Gmail FE_URL=https://pers-390labs.com.ng/ # contractor staging
Lagos State Judiciary Auctions — OpenAI Key, Database, Email, Stripe CRITICAL
Domain: auction.lagosjudiciary.gov.ng System: Lagos State Judiciary court-ordered asset auction platform

Five credential types committed in a single .env: MySQL database credentials (lagosjud_live_user on lagosjud_main_db), SMTP email credentials for the judiciary's official address, OpenAI API key and organization ID, Stripe test key set, and Laravel APP_KEY. The OpenAI key is production-format and represents ongoing unauthorized billing risk until revoked.

DB_DATABASE=lagosjud_main_db DB_USERNAME=lagosjud_live_user DB_PASSWORD=[redacted] [email protected] MAIL_PASSWORD=[redacted] OPENAI_API_KEY=[redacted] OPENAI_ORGANIZATION=[redacted] STRIPE_KEY=pk_test_[redacted] STRIPE_SECRET=sk_test_[redacted]

High Severity Findings

Federal Ministry of Justice M&E — Dual Database Credential Sets HIGH
Domain: mande.justice.gov.ng System: FMOJ Monitoring and Evaluation Reporting MIS (HYELLA framework)

Two separate database credential sets in a single .env: root credentials for a containerized database host (configdb), and an application-level set for the mande database via the HYELLA framework. Third-party developer domain (maybeachtech.com.ng) referenced in the production NWP_DOMAIN configuration.

Rivers State IRS — AWS Long-Term Access Key HIGH
Domain: payments.psirs.gov.ng System: Rivers State Internal Revenue Service payments platform

AWS access key AKIAYD2MKTM4OPNOWQM4 (long-term AKIA-format credential) committed alongside its secret access key. The SQS queue URL reveals the AWS account ID (557968956216) in eu-west-2 region. AKIA-format keys have no automatic expiration and remain valid until manually revoked via the AWS console.

Targets Audited

registration.ippis.gov.ng
Integrated Payroll and Personnel Information System — federal civil service payroll
Size: 44 MB Status: CRITICAL — DB credentials + adminer.php
nimasa.gov.ng
Nigerian Maritime Administration and Safety Agency — PERS personnel system
Size: 8 KB Status: CRITICAL — production .env with DB + Mailgun + APP_KEY
auction.lagosjudiciary.gov.ng
Lagos State Judiciary — court-ordered asset auction platform
Size: ~30 MB Status: CRITICAL — DB + email + OpenAI key + Stripe + APP_KEY
mande.justice.gov.ng
Federal Ministry of Justice — Monitoring and Evaluation MIS
Size: 9.7 MB Status: HIGH — dual DB credential sets committed
payments.psirs.gov.ng
Rivers State Internal Revenue Service — payments platform
Size: ~10 MB Status: HIGH — AWS long-term access key committed

Evidence Archive

IPPIS-REGISTRATION
Federal payroll system — 44 MB, database credentials, adminer.php present
Download
NIMASA-PERS
Maritime agency personnel system — .env with DB, Mailgun, APP_KEY, contractor artifacts
Download
LAGOSJUDICIARY-AUCTION
Court auction platform — DB, email, OpenAI API key, Stripe, APP_KEY
Download
PSIRS-PAYMENTS
Rivers State IRS payments — AWS AKIA credentials, SQS queue
Download
CREDENTIALS-MASTER.md
Complete credential inventory with remediation guidance for all 47 domains
Download

Methodology and Scope

All data in this report was collected through passive open-source intelligence (OSINT) methods. No credentials were used to authenticate to any system. No databases were accessed, read, or modified. No systems were exploited or disrupted. All git repositories were publicly accessible without authentication at the time of collection (2026-04-02).

Findings were collected, analyzed, and held pending disclosure review before publication. No raw credential values appear in this public-facing report. Full credential details are available in the CREDENTIALS-MASTER.md archive for verified researchers, journalists, and affected parties.

Collection: 2026-04-02 | Publication: 2026-06-13 | Country: Nigeria | Domains: 47 | Critical: 3 | High: 2