Leading AI Companies Keep Leaking Their Own Information on GitHub

Summary

Wiz researchers scanned GitHub repositories associated with the Forbes top‑50 AI companies and discovered that 65% of them expose verified secrets—API keys, tokens and credentials—often hidden in deleted forks, developer repos and gists. Their proprietary “Depth, Perimeter, and Coverage” methodology expands discovery to contributors’ personal repos and targets newer secret types such as those from Tavily, Langchain, Cohere and Pinecone, uncovering leaks traditional scanners miss. When the firms were notified, almost half of the alerts failed to reach a response channel or received no reply. Wiz advises immediate deployment of comprehensive secret‑scanning, prioritisation of proprietary secret formats, and the establishment of dedicated disclosure channels.