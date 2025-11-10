A new study has revealed that nearly two-thirds of leading private AI companies have leaked sensitive information on GitHub.

Wiz researchers examined 50 firms from the Forbes AI 50 list and confirmed that 65% had exposed verified secrets such as API keys, tokens and credentials. Collectively, the affected companies are valued at more than $400bn.

The research, published today, suggests that rapid innovation in artificial intelligence is outpacing basic cybersecurity practices. Even companies with minimal public repositories were found to have leaked information.

One firm with no public repositories and only 14 members still exposed secrets, while another with 60 public repositories avoided leaks entirely, likely due to stronger security practices.

Digging Below the Surface

To identify these exposures, the researchers said they expanded their scanning beyond traditional GitHub searches.

Wiz’s “Depth, Perimeter and Coverage” framework looked deeper into commit histories, deleted forks, gists and even contributors’ personal repositories.

This approach helped uncover secrets hidden in obscure or deleted parts of codebases that standard scanners often miss.

Among the most commonly leaked credentials were API keys from WeightsAndBiases, ElevenLabs and HuggingFace. Some of these could have allowed access to private training data or organizational information – critical assets for AI development.