- The GitGuardian report warns that AI-powered coding is leaking secrets at a record pace
- In 2025, 29 million exposed credentials on GitHub, +34% year-over-year
- AI-assisted commit double baseline leak rates, with MCP configurations fueling exposures
Vibe coding may seem great for quick product shipping, but inexperienced developers leave gaping cybersecurity holes that cause breaches and exposures left and right. This is according to GitGuardian’s latest report, “State of Secrets Sprawl”, which was just released.
In the research paper, the organization said 2025 was the year when AI adoption “permanently changed” software technology. That year saw a 43% year-on-year increase in public liabilities, growing at least twice as fast as before.
An increase in commits also means an increase in secrets, and since 2021 these have grown about 1.6 times faster than the active developer population. Also, secret leak rates in AI-assisted code were roughly double the GitHub-wide baseline.
The article continues below
ClaudeCode, MCP configurations and other risks
“Together, these forces drove a +34% year-over-year increase in newly leaked secrets on GitHub, reaching ~29 million registered secrets overall, marking the largest single-year jump on record,” the organization said in a press release.
Of all the various vulnerabilities that can be found in AI-generated code, exposed credentials are the biggest avenue of compromise, says GitGuardian. Commits built with Claude Code apparently leaked secrets at about 3.2%, which is twice the baseline, and leakage of AI service information appears to be accelerating the fastest. Leaks linked to AI services increased by 81% year-on-year and are “more likely” to slip through protections.
GitGuardian specifically singled out the Model Context Protocol (MCP) configuration risk. The report says MCP server documentation often recommends putting credentials in configuration files, a risky pattern that contributed to more than 24,000 secrets being exposed.
The paper further explained that internal repositories are six times more likely to contain hard-coded secrets compared to public ones, and highlighted that more than a quarter (28%) of incidents stem from leaks in collaboration and productivity tools.
Finally, with AI agents gaining deeper local access, rapid injection and supply chain attacks become more disruptive:
“AI agents need local credentials to connect across systems, making developer laptops a massive attack surface. We built our local scanning and identity discovery tool to protect them. Security teams need to map exactly which machines have which secrets, spotting critical weaknesses like overprivileged access and exposed production keys.” said Eric Fourrier, GitGuardian CEO.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
