The exposure of sensitive digital credentials, known as secrets sprawl, reached a new record in 2025, according to an annual industry report. The analysis of public code repositories found a sharp, unexpected increase in the number of hardcoded secrets like passwords and API keys left exposed by developers, posing a significant and growing security risk for organizations globally.
The report, which examined billions of code commits on the public GitHub platform, identified 29 million new hardcoded secrets during 2025. This figure represents a 34% increase compared to the previous year and is described as the largest single-year jump ever recorded. The acceleration in secrets exposure outpaced the expectations of most security teams.
Core Trends Driving the Increase
The findings for the period highlight three primary trends contributing to the problem. The first is the rapid integration of artificial intelligence into software development. AI coding assistants are being widely adopted, and their use has been correlated with a higher rate of secrets being inadvertently generated and committed to code.
The second trend involves the continued complexity of modern software supply chains. As applications rely on more external services, libraries, and cloud infrastructure, the number of required access tokens and keys multiplies, increasing the potential attack surface.
The third factor is the persistent gap between developer velocity and security protocols. In fast-paced development environments, security checks are sometimes bypassed to meet deadlines, leading to credentials being embedded directly into source code instead of being managed through secure vaults.
Implications for Organizational Security
Hardcoded secrets are a critical vulnerability. When credentials such as database passwords, cloud access keys, or third-party API tokens are left plaintext in public or internal code repositories, they can be easily extracted by automated scanning tools used by malicious actors.
Compromised credentials often serve as a primary entry point for data breaches and ransomware attacks. Attackers can use these keys to gain unauthorized access to internal systems, exfiltrate sensitive data, or deploy malware. The widespread nature of secrets sprawl means that a single exposed key can jeopardize an entire organization’s infrastructure.
Security experts note that the problem is not confined to open-source projects. Similar issues frequently occur within private corporate repositories, where a false sense of security can lead to lax practices. Once a secret is committed to a version history, it is challenging to fully erase, even if later removed.
Industry Response and Mitigation
The cybersecurity industry has developed several tools and practices aimed at curbing secrets sprawl. These include automated secrets detection scanners that integrate directly into developer workflows and version control systems. These tools flag potential credentials before code is merged.
Another recommended practice is the implementation of secrets management solutions. These dedicated systems securely store, rotate, and control access to credentials, ensuring they are never written directly into application code. Security training for developers on secure coding practices is also considered a fundamental countermeasure.
Looking ahead, industry analysts predict that regulatory bodies may begin to pay closer attention to secrets management as part of broader software supply chain security mandates. Organizations are expected to increasingly adopt automated governance and policy-as-code frameworks to enforce security rules systematically, moving beyond manual audits to prevent credentials from being exposed in the first place.
Source: GitGuardian
