The rapid adoption of AI coding assistants has created new vectors for secret leakage. Commits built with Claude Code reportedly leak secrets at roughly 3.2%, two times the baseline of 1.5%. Secret leak rates in AI-assisted code were roughly double the GitHub-wide baseline, and AI service credentials leaks seem to be accelerating the fastest.
The "password.txt" crisis on GitHub is not going away. It's accelerating. With 28.65 million new secrets exposed in 2025 and AI adoption driving even faster growth, the attack surface is expanding daily.
Option B — When you cannot rewrite history (enterprise constraints): password txt github hot
To prevent future leaks, organizations must implement comprehensive secret management strategies:
: This isn't just about old files; it’s about "hot" or active leaks. Scrapers can find and exploit a credential within minutes of it being published. The rapid adoption of AI coding assistants has
Malicious actors do not manually search GitHub all day. They build automated bots that monitor the GitHub Public Timeline API. The moment a repository transitions to public, the bot scans the commit history for high-value filenames. If it finds a match, it automatically extracts the string and tests it against major cloud providers like AWS, Azure, or Google Cloud. How to Check If You Are Exposed
A single exposed credential can unlock everything. With IAM access, attackers enumerate internal APIs, access CI/CD pipelines using leaked tokens, and move laterally across internal services. They maintain access by creating new IAM users or SSH keys, deploy malicious Lambda functions to blend in, and exfiltrate data from S3 buckets and Azure Blob Storage. The "password
GitHub has become a primary hub for security "wordlists"—collections of common passwords, default credentials, and leaked data used for testing. These lists are "hot" for two reasons:
If you have accidentally pushed a password.txt file to GitHub, follow these steps immediately:
But awareness is power. Understanding Git dorking, using secret scanning tools, implementing commit-time prevention, rotating credentials aggressively, and training developers can dramatically reduce risk.
In one real-world example, a team embedded IAM access keys with full S3Delete permissions directly into frontend JavaScript. Their S3 buckets were wiped within days by an unknown actor.