65% of the 50 leading AI companies analyzed had leaked verified secrets on GitHub.

Almost half of the disclosures regarding leaked secrets by leading AI companies on GitHub either failed to reach the target or received no response.

The total valuation of the companies with verified secret leaks is over $400B.

In one specific case (an AI50 Company with no disclosure permission), a HuggingFace token found in a deleted fork allowed access to about 1K private models. The leak also included multiple WeightsAndBiases API keys belonging to organizational employees that leaked training data for many private models

The company with the smallest footprint that still had verified leak instances had 0 public repositories and 14 organization members.

The company with the largest footprint without an exposed secret had 60 public repositories and 28 organization members.

There are a total of 20,000 MCP server implementations on GitHub.

There are an estimated 20,000 repositories in GitHub implementing open-source Model Context Protocol (MCP) servers.

GitHub Copilot is now used in 39% of organisations.