Threat actors are looking for API tokens, passwords, and database logins usually stored in ENV files.