AI companies keep publishing private API keys to GitHub

Leading AI companies turn out to be no better at keeping secrets than anyone else writing code.

Cloud security firm Wiz has found that 65 percent of the Forbes AI 50 "had leaked verified secrets on GitHub," minus a few with no presence on the code sharing site.

"Some of these leaks could have exposed organizational structures, training data, or even private models," said Wiz threat researchers Shay Berkovich and Rami McCarthy in a blog post.

The secrets consist of API keys, tokens, and other digital credentials that are supposed to be kept out of code commits to git repos. But as the security biz noted last month, developers of VS Code extensions keep making their secrets known, a problem that McCarthy has attributed in part to vibe coding.

Secret leakage is a longstanding problem. Back in 2017, security researcher Dylan Ayrey published a tool called TruffleHog to find secrets inadvertently uploaded into code repos.

But awareness of the problem has failed to eliminate it. In 2020, as we noted, AWS keys kept leaking due to configuration errors. In 2023, the Python Package Index (PyPI) was found to contain many packages with AWS API keys. There are many other examples.

A recent source of API keys has been LLMs - they can capture exposed API keys in training data and can be convinced to disgorge those keys with the right coaxing.

Wiz, which sells secret scanning as a service, claims that its approach covers more ground than traditional repo scanning tools. "Our deep scan includes full commit history, commit history on forks, deleted forks, workflow logs and gists (which can also have forks!)," explained Berkovich and McCarthy.

Self-serving though that may be, Google has agreed to buy Wiz for $32 billion in cash, so perhaps there's something there.

"Exposed secrets are usually a symptom of broader challenges, like limited visibility, fragmented ownership, or missing automated checks in the development pipeline," said Berkovich in an email to The Register. "In the cloud, everything moves fast and without strong guardrails, even mature teams can miss high-impact risks."

The most common sources for secret leakage when Wiz initially looked at this issue came from Jupyter Notebook files (.ipynb), Python files (.py), and environment files (.env). These consisted mainly of keys and tokens from Hugging Face, AzureOpenAI, and WeightsAndBiases.

"Hugging Face tokens are notorious for allowing access to private AI models," said Berkovich. "The leaked Hugging Face token belonging to an AI 50 company could have exposed access to ~1,000 private models, allowing an attacker to download or inspect proprietary IP. "

Berkovich added that the WeightsAndBiases API keys belong to the same company and could have granted access to sensitive training data behind private models such as confidential business data.

Wiz has chosen not to name and shame the firms spilling their sensitive keys across GitHub, other than ElevenLabs and LangChain. The ElevenLabs API key was spotted in a plaintext mcp.json file, which Berkovich and McCarthy say "speaks to the relationship between vibe coding and secrets leakage" that they noted previously.

"Advances in AI development result in new use cases and possibilities of secret leaks (ipynb files, vibe coding, gaps in coverage of new AI-specific secret types)," said Berkovich. "That's why our working hypothesis was that any AI company with a big enough GitHub footprint has exposed secrets. This was confirmed by the high proportion (65 percent) of AI innovators with exposed secrets."

According to Wiz, ElevenLabs and LangChain responded promptly when alerted to the exposed secrets. But almost half of the security disclosures either couldn't be delivered or received no response.

The first step toward solving your secret exposure problem is admitting that you have a problem. ®