- GitGuardian report warns that AI-powered coding is leaking secrets at a record rate
- In 2025, 29 million credentials were exposed on GitHub, a +34% jump from the previous year.
- AI Witnesses Double Baseline Leak Rate, MCP Setups Fueling Exposures
Vibe-coding may seem ideal for shipping products quickly, but inexperienced developers leave gaping cybersecurity holes that cause breaches and exposures left and right. This is according to GitGuardian’s latest report, the just-published “State of Secrets Sprawl” document.
In the research paper, the organization states that 2025 will be the year when AI adoption will “permanently change” software engineering. That year, public commitments increased by 43% from the previous year, growth at least twice as fast as before.
An increase in commits also means an increase in secrets and since 2021 these have grown approximately 1.6 times faster than the active developer population. Additionally, secret leak rates in AI-assisted code were approximately double the GitHub-wide benchmark.
Article continues below
ClaudeCode, MCP configurations and other risks
“Together, these forces drove a +34% year-over-year increase in new secrets disclosed on GitHub, reaching approximately 29 million secrets detected in total, marking the largest single-year jump on record,” the organization said in a press release.
Among all the different vulnerabilities that can be found in AI-generated code, exposed credentials remain the primary route to compromise, explains GitGuardian. Commits built with Claude Code have apparently leaked secrets at around 3.2%, twice the baseline, and leaks of credentials from AI services appear to be accelerating the fastest. Leaks related to AI services increased by 81% year-over-year and are “more likely” to slip through protections.
GitGuardian has specifically identified Model Context Protocol (MCP) configuration risk. The report states that MCP server documentation often recommends placing credentials in configuration files, a risky model that has contributed to the exposure of more than 24,000 secrets.
The document further explains that internal repositories are six times more likely to contain hardcoded secrets than public repositories, and highlights that more than a quarter (28%) of incidents come from leaks in collaboration and productivity tools.
Finally, with AI agents’ deeper local access, rapid injections and attacks against the supply chain are becoming increasingly disruptive:
“AI agents need local credentials to connect between systems, turning developers’ laptops into a massive attack surface. We built our local identity analysis and inventory tool to protect them. Security teams need to determine exactly which machines hold which secrets, highlighting critical weaknesses like overprivileged access and exposed production keys.” said Eric Fourrier, CEO of GitGuardian.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
