threat intelligence

Performing Paste Site Monitoring for Credentials

Monitor paste sites like Pastebin and GitHub Gists for leaked credentials, API keys, and sensitive data dumps using automated scraping and keyword matching to detect breaches early.

credential-leakdata-breachearly-warningosintpaste-monitoringpastebinthreat-intelligence
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

Overview

Paste sites (Pastebin, GitHub Gists, Ghostbin, Dpaste, Hastebin) are frequently used as staging areas for leaked credentials, database dumps, API keys, and sensitive data before wider distribution on dark web forums and Telegram channels. Monitoring these sites provides early breach detection, enabling organizations to respond before stolen data is weaponized. This skill covers building automated paste site monitors using the Pastebin Scraping API, keyword-based alerting, credential pattern matching, and integration with incident response workflows.

When to Use

  • When conducting security assessments that involve performing paste site monitoring for credentials
  • When following incident response procedures for related security events
  • When performing scheduled security testing or auditing activities
  • When validating security controls through hands-on testing

Prerequisites

  • Python 3.9+ with requests, beautifulsoup4, regex, pymisp libraries
  • Pastebin PRO account with Scraping API access ($49.95/month for programmatic access)
  • GitHub API token for Gist monitoring
  • Keyword lists specific to your organization (domains, project names, internal terms)
  • Elasticsearch or database for paste storage and search

Key Concepts

Paste Site Threat Landscape

Over 300,000 user credentials are posted on Pastebin annually, averaging 1,000 username/password pairs per leak. Paste sites serve three primary threat intelligence purposes: early breach detection (credentials appear on paste sites before dark web), threat actor profiling (actors use paste sites for C2 configuration, data staging, tool sharing), and malware discovery (encoded payloads, configuration files, C2 addresses).

Monitoring Approaches

Active monitoring queries paste site APIs or scraping endpoints at regular intervals. The Pastebin Scraping API provides real-time access to new public pastes. For GitHub, the search API allows monitoring Gists and repository commits for exposed secrets. Passive monitoring uses services like IntelX, Dehashed, or Have I Been Pwned that aggregate paste site data.

Credential Pattern Detection

Effective monitoring uses regex patterns for email:password combinations, API keys (AWS, Azure, GCP, Stripe, Twilio), database connection strings, private keys (SSH, PGP), JWT tokens, and internal hostnames/URLs. Organization-specific keywords (domain names, product names, employee names) reduce false positives.

Workflow

Step 1: Pastebin Scraping API Monitor

import requests
import re
import json
import time
from datetime import datetime
 
class PastebinMonitor:
    SCRAPING_URL = "https://scrape.pastebin.com/api_scraping.php"
    RAW_URL = "https://scrape.pastebin.com/api_scrape_item.php"
 
    def __init__(self, keywords, output_dir="paste_alerts"):
        self.keywords = [k.lower() for k in keywords]
        self.output_dir = output_dir
        self.seen_keys = set()
        self.credential_patterns = {
            "email_password": re.compile(
                r'[\w.+-]+@[\w-]+\.[\w.]+[\s:;|,]+[\S]{6,}', re.IGNORECASE),
            "aws_key": re.compile(
                r'AKIA[0-9A-Z]{16}'),
            "aws_secret": re.compile(
                r'[0-9a-zA-Z/+=]{40}'),
            "github_token": re.compile(
                r'ghp_[0-9a-zA-Z]{36}'),
            "slack_token": re.compile(
                r'xox[baprs]-[0-9a-zA-Z-]+'),
            "private_key": re.compile(
                r'-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----'),
            "jwt_token": re.compile(
                r'eyJ[A-Za-z0-9-_]+\.eyJ[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+'),
            "connection_string": re.compile(
                r'(?:mongodb|postgres|mysql|redis)://[^\s]+'),
            "api_key_generic": re.compile(
                r'(?:api[_-]?key|apikey|access[_-]?token)[\s]*[=:]\s*["\']?[\w-]{20,}',
                re.IGNORECASE),
        }
 
    def fetch_recent_pastes(self, limit=100):
        """Fetch recent public pastes from Pastebin Scraping API."""
        params = {"limit": limit}
        try:
            resp = requests.get(self.SCRAPING_URL, params=params, timeout=30)
            if resp.status_code == 200:
                pastes = resp.json()
                print(f"[+] Fetched {len(pastes)} recent pastes")
                return pastes
            else:
                print(f"[-] API error: {resp.status_code}")
                return []
        except Exception as e:
            print(f"[-] Fetch error: {e}")
            return []
 
    def get_paste_content(self, paste_key):
        """Get the raw content of a paste."""
        params = {"i": paste_key}
        try:
            resp = requests.get(self.RAW_URL, params=params, timeout=15)
            if resp.status_code == 200:
                return resp.text
            return ""
        except Exception:
            return ""
 
    def analyze_paste(self, content, paste_metadata):
        """Analyze paste content for credentials and keywords."""
        findings = {
            "keyword_matches": [],
            "credential_matches": {},
            "severity": "low",
        }
 
        content_lower = content.lower()
 
        # Check keywords
        for keyword in self.keywords:
            if keyword in content_lower:
                count = content_lower.count(keyword)
                findings["keyword_matches"].append({
                    "keyword": keyword,
                    "count": count,
                })
 
        # Check credential patterns
        for pattern_name, pattern in self.credential_patterns.items():
            matches = pattern.findall(content)
            if matches:
                findings["credential_matches"][pattern_name] = {
                    "count": len(matches),
                    "samples": matches[:3],
                }
 
        # Calculate severity
        cred_count = sum(
            m["count"] for m in findings["credential_matches"].values()
        )
        if findings["keyword_matches"] and cred_count > 0:
            findings["severity"] = "critical"
        elif findings["keyword_matches"]:
            findings["severity"] = "high"
        elif cred_count > 10:
            findings["severity"] = "high"
        elif cred_count > 0:
            findings["severity"] = "medium"
 
        return findings
 
    def monitor_loop(self, interval=120, iterations=None):
        """Continuous monitoring loop."""
        count = 0
        while iterations is None or count < iterations:
            pastes = self.fetch_recent_pastes()
            alerts = []
 
            for paste in pastes:
                paste_key = paste.get("key", "")
                if paste_key in self.seen_keys:
                    continue
                self.seen_keys.add(paste_key)
 
                content = self.get_paste_content(paste_key)
                if not content:
                    continue
 
                findings = self.analyze_paste(content, paste)
                if findings["severity"] != "low":
                    alert = {
                        "paste_key": paste_key,
                        "title": paste.get("title", "Untitled"),
                        "user": paste.get("user", "Anonymous"),
                        "date": paste.get("date", ""),
                        "size": paste.get("size", 0),
                        "url": f"https://pastebin.com/{paste_key}",
                        "findings": findings,
                        "detected_at": datetime.now().isoformat(),
                    }
                    alerts.append(alert)
                    print(f"  [ALERT-{findings['severity'].upper()}] "
                          f"{paste_key}: {findings['keyword_matches']}")
 
            if alerts:
                self._save_alerts(alerts)
 
            count += 1
            if iterations is None or count < iterations:
                time.sleep(interval)
 
        return alerts
 
    def _save_alerts(self, alerts):
        """Save alerts to JSON file."""
        filename = f"{self.output_dir}/alerts_{datetime.now().strftime('%Y%m%d_%H%M%S')}.json"
        import os
        os.makedirs(self.output_dir, exist_ok=True)
        with open(filename, "w") as f:
            json.dump(alerts, f, indent=2)
        print(f"[+] Saved {len(alerts)} alerts to {filename}")
 
monitor = PastebinMonitor(
    keywords=["mycompany.com", "internal-project", "employee-name"],
)
alerts = monitor.monitor_loop(interval=120, iterations=5)

Step 2: GitHub Gist and Code Search Monitoring

class GitHubSecretMonitor:
    def __init__(self, github_token, org_keywords):
        self.token = github_token
        self.keywords = org_keywords
        self.headers = {
            "Authorization": f"token {github_token}",
            "Accept": "application/vnd.github.v3+json",
        }
 
    def search_code(self, query, per_page=30):
        """Search GitHub code for leaked secrets."""
        url = "https://api.github.com/search/code"
        params = {"q": query, "per_page": per_page}
        resp = requests.get(url, headers=self.headers, params=params)
        if resp.status_code == 200:
            results = resp.json().get("items", [])
            print(f"[+] GitHub code search: {len(results)} results for '{query}'")
            return results
        return []
 
    def search_gists(self, keyword):
        """Search public Gists for sensitive data."""
        url = "https://api.github.com/gists/public"
        params = {"per_page": 100}
        resp = requests.get(url, headers=self.headers, params=params)
        matches = []
        if resp.status_code == 200:
            gists = resp.json()
            for gist in gists:
                description = (gist.get("description") or "").lower()
                files = gist.get("files", {})
                for filename, file_info in files.items():
                    if keyword.lower() in description or keyword.lower() in filename.lower():
                        matches.append({
                            "gist_id": gist["id"],
                            "description": gist.get("description", ""),
                            "filename": filename,
                            "url": gist["html_url"],
                            "created_at": gist["created_at"],
                        })
        return matches
 
    def monitor_org_secrets(self, org_domain):
        """Monitor for organization secrets leaked on GitHub."""
        queries = [
            f'"{org_domain}" password',
            f'"{org_domain}" api_key',
            f'"{org_domain}" secret',
            f'"{org_domain}" token',
            f'"{org_domain}" credentials',
        ]
        all_findings = []
        for query in queries:
            results = self.search_code(query)
            for result in results:
                all_findings.append({
                    "query": query,
                    "repo": result.get("repository", {}).get("full_name", ""),
                    "path": result.get("path", ""),
                    "url": result.get("html_url", ""),
                    "score": result.get("score", 0),
                })
            time.sleep(10)  # GitHub rate limiting
        return all_findings
 
gh_monitor = GitHubSecretMonitor("YOUR_GITHUB_TOKEN", ["mycompany.com"])
findings = gh_monitor.monitor_org_secrets("mycompany.com")

Step 3: Alert and Incident Response Integration

def generate_credential_leak_alert(alert_data):
    """Generate incident alert for credential leak detection."""
    alert = {
        "title": f"Credential Leak Detected - {alert_data.get('severity', 'unknown').upper()}",
        "source": alert_data.get("url", ""),
        "detected_at": alert_data.get("detected_at", ""),
        "severity": alert_data.get("severity", "medium"),
        "summary": f"Paste containing organization keywords and credentials found",
        "keyword_matches": alert_data.get("findings", {}).get("keyword_matches", []),
        "credential_types": list(alert_data.get("findings", {}).get("credential_matches", {}).keys()),
        "recommended_actions": [
            "Verify if leaked credentials are valid",
            "Force password reset for affected accounts",
            "Rotate exposed API keys and tokens",
            "Check access logs for unauthorized usage",
            "Report paste for takedown",
            "Update monitoring keywords if new patterns found",
        ],
    }
    return alert

Validation Criteria

  • Pastebin Scraping API queried successfully with rate limiting
  • Credential patterns detected (email:password, API keys, private keys)
  • Organization-specific keywords matched with context
  • GitHub code search identifies exposed secrets
  • Alerts generated with severity classification
  • Integration with incident response workflow

References

Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md1.4 KB

API Reference — Performing Paste Site Monitoring for Credentials

Libraries Used

  • requests: HIBP API v3 for breach and paste lookup
  • re: Credential pattern matching (email:pass, API keys, AWS keys, JWTs)
  • time: Rate limiting for HIBP API (1.6s between requests)

CLI Interface

python agent.py [--api-key <hibp_key>] check --email user@example.com
python agent.py [--api-key <hibp_key>] pastes --email user@example.com
python agent.py [--api-key <hibp_key>] bulk --domain example.com --emails employee_list.txt
python agent.py scan --file paste_dump.txt
python agent.py [--api-key <hibp_key>] report --domain example.com --emails employees.txt

Core Functions

check_haveibeenpwned(email, api_key) — Breach database lookup

Endpoint: GET /api/v3/breachedaccount/{email}

check_paste_dumps(email, api_key) — Paste site exposure check

Endpoint: GET /api/v3/pasteaccount/{email}

bulk_check_domain(domain, email_list_file, api_key) — Organization-wide scan

Rate-limited to 1.6s between requests. Max 50 emails per run.

scan_text_for_credentials(text_file) — Pattern-based credential detection

Patterns: email:password, username:password, API keys, AWS keys (AKIA*), private keys, JWTs.

generate_exposure_report(...) — Executive exposure summary

Rate Limiting

HIBP free tier: ~1 request/1.6 seconds. Agent auto-sleeps between requests.

Dependencies

pip install requests

Scripts 1

agent.py7.0 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Agent for performing paste site monitoring for leaked credentials."""

import json
import argparse
import re
import time
from datetime import datetime

try:
    import requests
except ImportError:
    requests = None


def check_haveibeenpwned(email, api_key=None):
    """Check if an email appears in Have I Been Pwned breaches."""
    headers = {"User-Agent": "PasteMonitor-Agent"}
    if api_key:
        headers["hibp-api-key"] = api_key
    try:
        resp = requests.get(f"https://haveibeenpwned.com/api/v3/breachedaccount/{email}",
                            headers=headers, timeout=15)
        if resp.status_code == 200:
            breaches = resp.json()
            return {
                "email": email, "breached": True,
                "breach_count": len(breaches),
                "breaches": [{"name": b["Name"], "date": b["BreachDate"],
                              "data_classes": b["DataClasses"]} for b in breaches[:10]],
            }
        elif resp.status_code == 404:
            return {"email": email, "breached": False}
        else:
            return {"email": email, "error": f"HTTP {resp.status_code}"}
    except Exception as e:
        return {"email": email, "error": str(e)}


def check_paste_dumps(email, api_key=None):
    """Check for email in paste site dumps via HIBP paste API."""
    headers = {"User-Agent": "PasteMonitor-Agent"}
    if api_key:
        headers["hibp-api-key"] = api_key
    try:
        resp = requests.get(f"https://haveibeenpwned.com/api/v3/pasteaccount/{email}",
                            headers=headers, timeout=15)
        if resp.status_code == 200:
            pastes = resp.json()
            return {
                "email": email, "found_in_pastes": True,
                "paste_count": len(pastes),
                "pastes": [{"source": p.get("Source"), "title": p.get("Title", "")[:100],
                            "date": p.get("Date"), "email_count": p.get("EmailCount")}
                           for p in pastes[:15]],
            }
        elif resp.status_code == 404:
            return {"email": email, "found_in_pastes": False}
        else:
            return {"email": email, "error": f"HTTP {resp.status_code}"}
    except Exception as e:
        return {"email": email, "error": str(e)}


def bulk_check_domain(domain, email_list_file, api_key=None):
    """Check all emails from a domain for breach exposure."""
    from pathlib import Path
    emails = [e.strip() for e in Path(email_list_file).read_text().splitlines() if e.strip() and domain in e]
    results = []
    for email in emails[:50]:
        result = check_haveibeenpwned(email, api_key)
        results.append(result)
        time.sleep(1.6)
    breached = [r for r in results if r.get("breached")]
    return {
        "domain": domain,
        "emails_checked": len(results),
        "breached_accounts": len(breached),
        "exposure_rate": round(len(breached) / max(len(results), 1) * 100, 1),
        "results": results,
    }


def scan_text_for_credentials(text_file):
    """Scan a text file (paste dump) for credential patterns."""
    from pathlib import Path
    content = Path(text_file).read_text(encoding="utf-8", errors="replace")
    patterns = {
        "email_password": re.compile(r"([a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,})\s*[:|;]\s*(\S+)"),
        "username_password": re.compile(r"(?:user(?:name)?|login)\s*[:|=]\s*(\S+)\s+(?:pass(?:word)?)\s*[:|=]\s*(\S+)", re.I),
        "api_key": re.compile(r"(?:api[_-]?key|apikey|access[_-]?token)\s*[:|=]\s*['\"]?([a-zA-Z0-9_\-]{20,})['\"]?", re.I),
        "aws_key": re.compile(r"AKIA[0-9A-Z]{16}"),
        "private_key": re.compile(r"-----BEGIN (?:RSA |EC )?PRIVATE KEY-----"),
        "jwt_token": re.compile(r"eyJ[a-zA-Z0-9_-]+\.eyJ[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+"),
    }
    findings = {}
    for name, pattern in patterns.items():
        matches = pattern.findall(content)
        if matches:
            if isinstance(matches[0], tuple):
                findings[name] = [{"match": m[0][:50]} for m in matches[:20]]
            else:
                findings[name] = [{"match": m[:50]} for m in matches[:20]]
    domains = re.findall(r"@([a-zA-Z0-9.-]+\.[a-zA-Z]{2,})", content)
    domain_counts = {}
    for d in domains:
        domain_counts[d] = domain_counts.get(d, 0) + 1
    return {
        "file": text_file,
        "credential_types_found": list(findings.keys()),
        "total_matches": sum(len(v) for v in findings.values()),
        "findings": findings,
        "affected_domains": dict(sorted(domain_counts.items(), key=lambda x: -x[1])[:15]),
    }


def generate_exposure_report(domain, email_list_file, api_key=None):
    """Generate credential exposure report for an organization."""
    bulk = bulk_check_domain(domain, email_list_file, api_key)
    return {
        "generated": datetime.utcnow().isoformat(),
        "domain": domain,
        "summary": {
            "emails_checked": bulk["emails_checked"],
            "breached": bulk["breached_accounts"],
            "exposure_rate": bulk["exposure_rate"],
        },
        "recommendations": [
            "Force password reset for all breached accounts",
            "Enable MFA for all accounts",
            "Monitor for credential stuffing attacks",
            "Implement password breach detection (e.g., Azure AD Password Protection)",
        ],
        "details": bulk["results"][:20],
    }


def main():
    if not requests:
        print(json.dumps({"error": "requests not installed"}))
        return
    parser = argparse.ArgumentParser(description="Paste Site Credential Monitoring Agent")
    parser.add_argument("--api-key", help="HIBP API key")
    sub = parser.add_subparsers(dest="command")
    c = sub.add_parser("check", help="Check single email")
    c.add_argument("--email", required=True)
    p = sub.add_parser("pastes", help="Check paste dumps")
    p.add_argument("--email", required=True)
    b = sub.add_parser("bulk", help="Bulk domain check")
    b.add_argument("--domain", required=True)
    b.add_argument("--emails", required=True, help="Email list file")
    s = sub.add_parser("scan", help="Scan text for credentials")
    s.add_argument("--file", required=True)
    r = sub.add_parser("report", help="Exposure report")
    r.add_argument("--domain", required=True)
    r.add_argument("--emails", required=True)
    args = parser.parse_args()
    api_key = args.api_key if hasattr(args, "api_key") else None
    if args.command == "check":
        result = check_haveibeenpwned(args.email, api_key)
    elif args.command == "pastes":
        result = check_paste_dumps(args.email, api_key)
    elif args.command == "bulk":
        result = bulk_check_domain(args.domain, args.emails, api_key)
    elif args.command == "scan":
        result = scan_text_for_credentials(args.file)
    elif args.command == "report":
        result = generate_exposure_report(args.domain, args.emails, api_key)
    else:
        parser.print_help()
        return
    print(json.dumps(result, indent=2, default=str))


if __name__ == "__main__":
    main()
Keep exploring