Description

The witness-sdk/src/providers/irs/irs-address.ts file was found to contain a credential for a proxy service:

'Authorization: Basic VTA...TZa',

Impact

If the Reclaim source code is ever publicly released, an attacker may compromise Reclaim's proxy service credentials.

Recommendations

The credential should be rotated, removed from the Git repository, and instead moved into an environment variable.

Remediation

This issue has been acknowledged by CreatorOS Inc, and the credentials have been revoked.