Overview
- The Nov. 10 Wiz report found verified secret leaks at 65% of Forbes AI 50 firms with a GitHub presence, affecting companies worth over $400 billion.
- Researchers used a "Depth, Perimeter and Coverage" approach that scanned commit history, deleted forks, gists and contributors' personal repositories.
- Exposed credentials included API keys and tokens for platforms such as Weights & Biases, ElevenLabs and Hugging Face, in some cases risking access to private models or training data.
- Notable instances included LangChain organization-level LangSmith keys, a plaintext ElevenLabs enterprise key, and a deleted-fork Hugging Face token exposing roughly 1,000 private models.
- Responses were uneven, with nearly half of disclosures unanswered or undelivered, prompting recommendations for mandatory secret scanning, strong disclosure channels and proprietary detection for new AI secret types.