- GitGuardian Report Warns AI-Powered Coding Leaks Secrets at Record Rate
- 29 million credentials exposed on GitHub in 2025, up 34% year-over-year
- AI-Assisted Engagements Double Baseline Leak Rates, MCP Setups Fuel Exposures
Vibration encryption may seem great for shipping products quickly, but inexperienced developers are leaving gaping holes in cybersecurity that are leading to breaches and exposures left and right. This is according to GitGuardian’s latest report, the “State of Secrets Sprawl” document that was just published.
In the research paper, the organization said that 2025 was the year in which AI adoption “permanently changed” software engineering. That year, there was a 43% year-on-year increase in public commitments, growing at least twice as fast as before.
An increase in commits also means an increase in secrets, and as of 2021, these have grown about 1.6 times faster than the active developer population. Additionally, secret leak rates in AI-assisted code were about double the baseline for all of GitHub.
Article continues below.
ClaudeCode, MCP configurations and other risks
“Together, these forces drove a +34% year-over-year increase in newly leaked secrets on GitHub, reaching ~29 million detected secrets overall, marking the largest single-year jump ever recorded,” the organization said in a press release.
Of all the different vulnerabilities that can be found in AI-generated code, exposed credentials remain the biggest path to compromise, says GitGuardian. Commits created with Claude Code apparently leaked secrets at about 3.2%, which is twice the baseline, and credential leaks from AI services appear to be accelerating the fastest. Leaks linked to AI services increased 81% year over year and are “more likely” to escape protections.
GitGuardian specifically highlighted the risk of Model Context Protocol (MCP) configuration. The report says that MCP server documentation often recommends placing credentials in configuration files, which is a risky pattern that contributed to more than 24,000 secrets being exposed.
The document further explains that internal repositories are six times more likely to contain encrypted secrets, compared to public ones, and highlights that more than a quarter (28%) of incidents originate from leaks in collaboration and productivity tools.
Finally, as AI agents gain deeper local access, rapid injection and supply chain attacks are becoming more disruptive:
“AI agents need local credentials to connect between systems, turning developers’ laptops into a massive attack surface. We built our identity inventory and local scanning tool to protect them. Security teams need to map exactly which machines contain which secrets, uncovering critical weaknesses like overprivileged access and exposed production keys.” said Eric Fourrier, CEO of GitGuardian.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
