preloader

· devops security credentials ai cicd github secrets-management digital-security

29 Million Secrets Leaked to GitHub in 2025: AI Coding Tools Are Doubling the Rate of Credential Exposure

Source: GitGuardian / The Hacker News / Help Net Security

GitGuardian’s annual State of Secrets Sprawl report for 2026 documents the largest single-year increase in hardcoded credential leaks since the report series began. The findings reflect how the rapid adoption of AI coding tools has introduced exposure patterns that traditional secrets management approaches were not built to address.

The headline numbers

28.65 million new hardcoded secrets appeared in public GitHub commits in 2025, a 34 percent increase year over year. Across internal repositories, the situation is considerably worse: 32.2 percent of private repositories contain at least one hardcoded secret, compared to 5.6 percent of public repositories. Internal repos are six times more likely to contain hardcoded credentials than their public equivalents.

The number that deserves direct attention from security and engineering leadership is 64 percent. That is the share of valid secrets from 2022 that have never been revoked. These are credentials that were found years ago and are still active. That is not a detection problem. Organisations are finding the secrets and not acting on them, most often because the governance processes required to achieve repeatable, scalable remediation do not exist.

AI coding tools as a new leakage vector

GitGuardian’s data shows that AI-assisted commits, those submitted by developers using tools such as GitHub Copilot, Cursor, or Claude Code, leak secrets at a rate of 3.2 percent. The baseline rate for manually written commits is approximately half that.

The increase is not because AI tools inject credentials themselves. It reflects the workflow change that AI-assisted development produces: faster iteration, more automated scaffolding generation, and shorter cognitive cycles between writing credential-handling code and committing it. Developers working at AI-assisted speed apply less friction to each commit, and friction is precisely what tends to catch hardcoded secrets before they leave the local environment.

AI service credentials specifically are accelerating: 1,275,105 AI service credentials appeared in public repositories in 2025, an 81 percent increase from 2024. As organisations adopt AI tools for production workloads, the API keys and service tokens that grant access to those tools become the credentials most worth stealing.

MCP configuration files as an emerging exposure surface

24,008 unique secrets were found in MCP configuration files across public repositories. This finding is directly relevant to the current wave of MCP adoption in enterprise DevOps environments.

MCP configuration files are not application code in the conventional sense. They are configuration artifacts that connect AI agents to external tools and services, and they are generated by developer tooling in ways that do not always trigger the same review habits that developers apply to source files. A developer who would never hardcode an API key into application code may generate an MCP configuration file that stores that key in plaintext and commit it without the same instinct to audit before pushing.

As MCP becomes a standard interface for AI agents in development workflows, MCP configuration files become a new category of secret-bearing artifact that organisations need to scan alongside traditional source code.

CI/CD infrastructure as the primary compromise target

59 percent of machines compromised through credential theft in 2025 were CI/CD runners rather than personal workstations. This is the figure that should drive threat modelling for DevOps teams.

A compromised developer laptop is a serious incident. A compromised CI/CD runner can access every deployment credential, cloud provider key, and container registry token the pipeline uses across every project it serves, often under service account identities that do not trigger the anomalous-login alerts designed to catch human account compromise. The blast radius of a runner compromise is not comparable to the blast radius of a single developer machine.

What remediation actually requires

Detection alone does not close the exposure. GitGuardian is explicit in the report about why: 64 percent of secrets from 2022 that were detected at the time remain valid and unrevoked four years later. The gap between finding a leaked secret and revoking and rotating it is an organisational and process gap, not a tooling one.

The same report notes that 28 percent of incidents originate from leaks in collaboration and productivity tools rather than repositories. Slack messages, Confluence pages, Jira comments, and internal wikis contain credentials at rates that most security programmes do not measure. Source code scanning alone misses more than a quarter of the problem.

For European organisations, the risk landscape here intersects with both GDPR and the NIS2 Directive. Hardcoded credentials in repositories or collaboration tools represent a category of inadequate technical measure that regulators can and do treat as a compliance failure when those credentials are subsequently exploited in a breach.

If your organisation is building or reviewing secrets management governance, addressing CI/CD credential hygiene, or assessing exposure from AI coding tool adoption across your engineering teams, contact Excello Digital. We help engineering and security teams implement repeatable secrets management processes that scale as AI-assisted development becomes the baseline.

These news items are automatically aggregated from industry sources and are not individually reviewed. Any inaccuracies are unintentional — let us know and we'll correct or remove it.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!