Agents
GitGuardian: 24,008 Unique Secrets Exposed in MCP Configuration Files on Public GitHub
GitGuardian's State of Secrets Sprawl 2026 report found 24,008 unique secrets in MCP-related configuration files on public GitHub, including 2,117 confirmed valid credentials. Google API keys account for nearly 20% and PostgreSQL connection strings 14% of exposed secrets. The root cause: popular MCP setup guides recommend putting API keys directly into configuration files, command-line arguments, or embedded connection strings. Across all of GitHub, 28.65 million new hardcoded secrets were added in 2025 (+34% YoY), with AI service credentials accelerating faster than any other category.
↳ Follow the thread