""Some of these leaks could have exposed organizational structures, training data, or even private models," said Wiz threat researchers Shay Berkovich and Rami McCarthy in a blog post. The secrets consist of API keys, tokens, and other digital credentials that are supposed to be kept out of code commits to git repos. But as the security biz noted last month, developers of VS Code extensions keep making their secrets known, a problem that McCarthy has attributed in part to vibe coding."
"Wiz, which sells secret scanning as a service, claims that its approach covers more ground than traditional repo scanning tools. "Our deep scan includes full commit history, commit history on forks, deleted forks, workflow logs and gists (which can also have forks!)," explained Berkovich and McCarthy. Self-serving though that may be, Google has agreed to buy Wiz for $32 billion in cash, so perhaps there's something there."
Cloud security firm Wiz found that 65 percent of the Forbes AI 50 leaked verified secrets on GitHub, excluding a few with no GitHub presence. Leaked items include API keys, tokens, and other digital credentials that should not appear in code commits. Some leaks could have exposed organizational structures, training data, or private models. Secret leakage has persisted despite awareness, with past incidents including AWS key exposures and PyPI packages containing API keys. Large language models can capture exposed API keys from training data and reproduce them. Wiz offers deep scans covering full commit history, forks, deleted forks, workflow logs, and gists. Exposed secrets often indicate limited visibility, fragmented ownership, or missing automated checks.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]