The rapid adoption of AI coding assistants has created new vectors for secret leakage. Commits built with Claude Code reportedly leak secrets at roughly 3.2%, two times the baseline of 1.5%. Secret leak rates in AI-assisted code were roughly double the GitHub-wide baseline, and AI service credentials leaks seem to be accelerating the fastest.
But public repositories tell only part of the story. The analysis reveals a startling truth: , shattering the common assumption that private repositories are secure. Generic passwords appeared nearly three times more often in private repositories (24.1%) compared to public ones (8.94%).
Filtering search results to show files committed within the last few minutes.
If a secret does get committed, simply deleting it from the latest version is . Git's history contains every past version. To truly remove a secret, you must rewrite your repository's history using git filter-repo or BFG Repo-Cleaner . Once cleaned, immediately rotate the exposed credential—change the password, generate a new API key, and revoke the old one. password txt github hot
The rise of AI-assisted coding tools is accelerating this crisis. Developers using AI code generators have a , more than double the 1.5% baseline for manually written commits. AI services themselves drove an 81% year-over-year increase in leaks, with GitGuardian detecting over 1.27 million AI-related secrets in 2025.
# Example using git filter-repo to remove a specific file git filter-repo --path password.txt --invert-paths Use code with caution. 3. Force Push the Changes
If you receive a notification from GitHub regarding a password in your repository, it’s likely due to their Secret Scanning Proactive Protection: The rapid adoption of AI coding assistants has
This write-up is for educational and defensive purposes. Unauthorized access to computer systems using exposed credentials is illegal under laws like the Computer Fraud and Abuse Act (CFAA) and similar international statutes.
The absolute best defense is ensuring secret files never leave your local machine. Every project should feature a robust .gitignore file at its root. Add explicit filenames: password.txt , secrets.txt , .env .
: Use GitHub Actions Secrets for CI/CD pipelines instead of text files. But public repositories tell only part of the story
Perhaps the most embarrassing recent example occurred when GitGuardian security researcher Guillaume Valadon found reams of exposed plaintext credentials listed in spreadsheets made publicly accessible in a GitHub repository by an employee working for a CISA contractor. The exposed credentials included access tokens, cloud keys, and other sensitive files that provided access to systems belonging to CISA and its parent agency, the Department of Homeland Security.
Use tools that scan your repository for secrets before you commit.
Attackers use automated tools to scrape the GitHub Events API for keywords like "password," "API_KEY," or "SECRET." Once a file is pushed, it is immediately indexed, even if the file is deleted seconds later. The history of the repository still exists, and the secret remains "hot" and usable. Best Practices to Prevent Secret Exposure
Push the cleaned history back to GitHub. This will overwrite the remote repository branches. git push origin --force --all Use code with caution. Best Practices for Secret Management
Security professionals use these lists to test the strength of their own systems against "brute force" attacks.