GitGuardian’s 2026 report reveals a record 29 million hardcoded secrets were exposed in 2025, marking a 34% annual increase driven largely by rapid AI adoption and developer tool usage.

Key points

• Leaked secrets grew by 152% since 2021, significantly outpacing the 98% growth of the public developer population.
• AI-related service leaks surged 81% year-over-year, with LLM infrastructure tools like Supabase and Firecrawl seeing massive increases in credential exposure.
• Internal repositories are 6x more likely to contain hardcoded secrets than public ones, with 32.2% of internal systems harboring at least one credential.
• Approximately 28% of security incidents now originate outside of source code, occurring instead in collaboration platforms like Slack, Jira, and Confluence.
• Remediation remains a critical failure point, as 64% of secrets identified as valid in 2022 remain exploitable today due to a lack of automated rotation.

The acceleration of secrets sprawl indicates that traditional detection methods are failing to keep pace with the complexity of modern AI-driven development and distributed infrastructure. Organizations must shift from simple scanning to comprehensive non-human identity governance to prevent attackers from exploiting durable, long-lived credentials.