Back to Home

GitHub Secrets Leak 2025: 28 Million AI Keys

GitGuardian 2025 Report Records 28.65 Million Secrets Leaks in GitHub, with AI Services Dominating (+81%). Model Infrastructures and MCP Configs Are Particularly Vulnerable. Developers Are Recommended to Review Hardcoding Practices.

28 Million Secrets Leaked to GitHub: Focus on AI Risks
Advertisement 728x90

# Leak of 28.65 Million Secrets on GitHub: AI Accelerates Risks for Developers

In 2025, public GitHub repositories accumulated a record 28.65 million hardcoded secrets—API keys, tokens, and passwords. The 34% growth compared to the previous year is linked to the boom in AI services: leaks of their credentials surged 81% to 1.27 million cases. Infrastructure around models is especially vulnerable—orchestrators, RAG pipelines, and vector stores.

Explosive Growth of Leaks in AI Infrastructure

AI has become the main driver: 8 out of 10 fastest-growing categories of secrets are from AI tools. 113,000 DeepSeek API keys were detected. AI infrastructure is leaking 5 times faster than the model providers themselves. MCP config files contain 24,000 secrets, of which 2,100 are active. The reason is popular guides for setting up MCP servers, where keys are inserted directly into the config.

Developers using AI assistants like Claude Code leak secrets in 3.2% of commits—twice the GitHub average (1.5%). The tool isn't to blame: it speeds up code generation, but errors depend on the user who ignores warnings.

Google AdInline article slot

GitHub Is Just the Tip of the Iceberg

Public repositories show only part of the problem. Internal repositories contain secrets 6 times more often. 28% of incidents are outside code: in Slack, Jira, Confluence. Long-term risk: 64% of secrets from 2022 remain active after 4 years.

| Metric | 2024 | 2025 | Growth |

|------------|------|------|------|

Google AdInline article slot

| All secrets | 21.4M | 28.65M | +34% |

| AI secrets | 0.7M | 1.27M | +81% |

| DeepSeek keys | - | 113,000 | New |

Google AdInline article slot

| MCP secrets | - | 24,000 | New |

Why AI Exacerbates the Problem

AI didn't invent leaks, but it accelerated processes: more code (+43% commits), integrations, service accounts, and configuration surfaces. The developer base grew 33%, so simple scanner improvements aren't enough.

  • Increased development speed leads to more errors.
  • AI infrastructure (RAG, vector DBs) requires many keys.
  • Setup guides encourage hardcoding.
  • Long-lived secrets aren't revoked in a timely manner.

Automated tools like GitGuardian detect the trend, but systemic changes in CI/CD and repository policies are needed.

Key Takeaways

  • Record 28.65 million secrets in public GitHub repositories in 2025, +34% year-over-year.
  • AI secrets grew 81% to 1.27 million, including 113,000 DeepSeek keys.
  • Model infrastructure leaks 5 times faster than providers; 64% of old secrets remain active.
  • AI assistants double the leak risk to 3.2% of commits.
  • 28% of incidents outside code, internal repositories 6 times worse than public.

— Editorial Team

Advertisement 728x90

Read Next