Executive Summary
In 2025, GitGuardian's 'State of Secrets Sprawl' report identified a 34% year-over-year increase in hardcoded secrets exposed on public GitHub repositories, totaling approximately 29 million. This surge is largely attributed to the rapid adoption of AI-assisted coding tools, which have accelerated software development but also increased the frequency of security vulnerabilities. Notably, AI service credentials leaks rose by 81%, with tools like Claude Code exhibiting a 3.2% secret leak rate, double the GitHub-wide baseline. Additionally, internal repositories were found to be six times more likely to contain hardcoded secrets compared to public ones, and 28% of leaks originated from collaboration and productivity tools. The report underscores the urgent need for robust secrets management and governance to mitigate these escalating risks. (blog.gitguardian.com)
The current relevance of this incident lies in the expanding attack surface introduced by AI technologies and the persistent challenge of secrets sprawl. As organizations increasingly integrate AI into their development processes, the potential for inadvertent exposure of sensitive information grows, necessitating immediate attention to secrets management practices to prevent security breaches.
Why This Matters Now
The rapid integration of AI in software development has significantly increased the risk of exposing sensitive credentials, making it imperative for organizations to implement stringent secrets management and governance frameworks to safeguard against potential security breaches.
Attack Path Analysis
An attacker exploited hardcoded secrets in public GitHub repositories to gain initial access, escalated privileges by leveraging exposed AI service credentials, moved laterally through internal systems using compromised developer workstations, established command and control via AI-assisted code deployments, exfiltrated sensitive data through collaboration tools, and caused significant impact by disrupting AI service operations.
Kill Chain Progression
Initial Compromise
Description
The attacker identified and exploited hardcoded secrets exposed in public GitHub repositories to gain unauthorized access to the organization's systems.
MITRE ATT&CK® Techniques
Credentials in Files
Bash History
Private Keys
Cloud Instance Metadata API
Group Policy Preferences
Container API
Credentials in Registry
Credentials in Memory
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Limit access to system components and cardholder data to only those individuals whose job requires such access.
Control ID: 7.1.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Identity Management
Control ID: Pillar 2: Identity
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Critical exposure to secrets sprawl with 29 million hardcoded secrets in GitHub commits, requiring enhanced zero trust segmentation and egress security controls.
Financial Services
Supply-chain threats targeting encrypted traffic and lateral movement pose significant compliance risks under PCI and NIST frameworks for banking operations.
Health Care / Life Sciences
HIPAA-regulated environments face severe data exfiltration risks from unencrypted traffic and inadequate east-west traffic security in hybrid cloud infrastructures.
Government Administration
Critical infrastructure vulnerable to Salt Typhoon-style attacks requiring immediate implementation of multicloud visibility controls and threat detection capabilities.
Sources
- The State of Secrets Sprawl 2026: 9 Takeaways for CISOshttps://thehackernews.com/2026/03/the-state-of-secrets-sprawl-2026-9.htmlVerified
- The State of Secrets Sprawl 2026: AI-Service Leaks Surge 81% and 29M Secrets Hit Public GitHubhttps://blog.gitguardian.com/the-state-of-secrets-sprawl-2026/Verified
- GitGuardian Reports an 81% Surge of AI-Service Leaks as 29M Secrets Hit Public GitHubhttps://www.globenewswire.com/news-release/2026/03/17/3257095/0/en/GitGuardian-Reports-an-81-Surge-of-AI-Service-Leaks-as-29M-Secrets-Hit-Public-GitHub.htmlVerified
- Over 29 million secrets were leaked on GitHub in 2025, and AI really isn't helpinghttps://www.techradar.com/pro/security/over-29-million-secrets-were-leaked-on-github-in-2025-and-ai-really-isnt-helpingVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust Cloud Native Security Fabric (CNSF) is pertinent to this incident as it embeds security directly into the cloud infrastructure, potentially reducing the attacker's ability to exploit internal pathways and limiting the blast radius of breaches.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: By embedding security directly into the cloud fabric, CNSF could limit unauthorized access resulting from exposed secrets, reducing the attacker's initial foothold.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation could limit the attacker's ability to escalate privileges by enforcing strict access controls between workloads.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security could limit lateral movement by monitoring and controlling internal traffic between workloads.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control could limit the establishment of command and control channels by providing comprehensive monitoring across cloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement could limit data exfiltration by controlling outbound traffic and enforcing data loss prevention policies.
By embedding security directly into the cloud fabric, CNSF could limit the scope of operational disruptions by containing breaches and reducing their impact on critical services.
Impact at a Glance
Affected Business Functions
- Software Development
- IT Operations
- Data Security
- Compliance
Estimated downtime: N/A
Estimated loss: N/A
Exposure of hardcoded secrets and credentials, including API keys and tokens, potentially leading to unauthorized access to systems and data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict access based on identity and context, minimizing lateral movement opportunities.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Deploy Threat Detection & Anomaly Response systems to identify and respond to suspicious activities in real-time.
- • Utilize Multicloud Visibility & Control to gain comprehensive insights into network traffic across all cloud environments.
- • Apply Inline IPS (Suricata) to detect and prevent known exploit patterns and malicious payloads within network traffic.
