Hi Samanyu,
I found what appears to be a live OpenAI API key embedded in a public release APK for your Durga Idol Maker project.
Affected repo: https://github.com/Samanyu-dev/durgapuja
Affected release: v1.0.0
Affected asset: app-release.apk
APK SHA256: 597b600c1fade63421b9ba1044ca1477d43570d6aec92119d898b6f91b540503
I am not posting the secret value publicly. Sanitized identifier:
- key fingerprint: 369b21081467b969
- key suffix: 4z_hEA
Likely locations inside APK:
- lib/arm64-v8a/libapp.so
- lib/armeabi-v7a/libapp.so
- lib/x86_64/libapp.so
Recommended immediate actions:
- Revoke/rotate the affected OpenAI key.
- Remove or replace the public APK release asset.
- Rebuild the app without embedding provider API keys in the client.
- Move OpenAI calls behind a backend endpoint.
- Review OpenAI usage/billing logs around the exposure window.
Sharing this privately/respectfully so you can fix it cleanly.
Hi Samanyu,
I found what appears to be a live OpenAI API key embedded in a public release APK for your Durga Idol Maker project.
Affected repo: https://github.com/Samanyu-dev/durgapuja
Affected release: v1.0.0
Affected asset: app-release.apk
APK SHA256: 597b600c1fade63421b9ba1044ca1477d43570d6aec92119d898b6f91b540503
I am not posting the secret value publicly. Sanitized identifier:
Likely locations inside APK:
Recommended immediate actions:
Sharing this privately/respectfully so you can fix it cleanly.