AI Companies Leak Secrets - Wiz Finds 65% Exposure on GitHub
Category:Research & Tools
Wiz researchers discovered that 65% of the Forbes AI 50 companies leaked valid secrets, tokens, or API keys on GitHub, mapped to T1552 (Unsecured Credentials) and T1528 (Steal Application Access Token). Exposed credentials included LangChain, ElevenLabs, and Hugging Face API keys, granting access to private models. The leaks stem from weak code hygiene, missing scanning, and immature disclosure programs. Such exposures risk IP theft, dataset compromise, and service misuse by threat actors.
CORTEX Protocol Intelligence Assessment
Business Impact: API leaks can expose proprietary AI models and training data, leading to competitive loss and compliance breaches. Technical Context: Secrets found in code history and forks show T1552 and T1528 patterns requiring centralized secret management and automated scanning.
Strategic Intelligence Guidance
- Implement pre-commit and CI/CD secret scanning.
- Centralize secret storage with rotation and short-lived tokens.
- Publish clear vulnerability disclosure policies.
- Simulate secret theft scenarios during red-team testing.
Vendors
Threats
Targets
Intelligence Source: AI Companies Leak Secrets - Wiz Finds 65% Exposure on GitHub | Nov 11, 2025