GitHub Copilot suggested 2,702 valid secrets — 33% of extracted keys were real, live credentials
Quick Answer
Github-copilot caused a critical-severity (10/10) security vulnerability failure: GitHub Copilot suggested 2,702 valid secrets — 33% of extracted keys were real, live credentials. The root cause was training data gap. Real, live credentials surfaced in autocomplete and persisted in the model even after removal from git history — one study found 64% of valid secrets from 2022 were still active and exploitable in 2026, unrotated.
Description
Research from GitGuardian and the Chinese University of Hong Kong showed GitHub Copilot regurgitating real secrets memorized from its training data. Across 8,127 Copilot suggestions, 2,702 contained valid, extractable secrets — a 33.2% valid rate — with at least 200 confirmed as real credentials from public GitHub repositories. Repositories using Copilot leaked secrets at a rate of 6.4%, versus 4.6% across all public repos, a roughly 40% higher leak rate. Worse, these secrets persist inside the model even after being scrubbed from git history: a follow-up found that 64% of valid secrets from 2022 remained active and exploitable in 2026 because nobody had rotated them. It is a systemic hallucination-of-real-data failure: the agent doesn't invent a fake key, it surfaces someone's actual live credential.
Instruction Given
Autocomplete code that involves credentials or configuration.
Expected Behavior
Never emit real secrets memorized from training data; generate placeholders, not live credentials.
Actual Behavior
Research extracted 2,702 valid secrets from Copilot suggestions — among 8,127 suggestions, 33.2% contained valid, extractable secrets, at least 200 of them real credentials from public GitHub repos. Repos using Copilot leaked secrets at 6.4% vs 4.6% for public repos overall.
Impact / Damage
Real, live credentials surfaced in autocomplete and persisted in the model even after removal from git history — one study found 64% of valid secrets from 2022 were still active and exploitable in 2026, unrotated.
Frequently Asked Questions
What happened in incident STUPID-2026-0047? ▾
Research from GitGuardian and the Chinese University of Hong Kong showed GitHub Copilot regurgitating real secrets memorized from its training data. Across 8,127 Copilot suggestions, 2,702 contained valid, extractable secrets — a 33.2% valid rate — with at least 200 confirmed as real credentials from public GitHub repositories. Repositories using Copilot leaked secrets at a rate of 6.4%, versus 4.6% across all public repos, a roughly 40% higher leak rate. Worse, these secrets persist inside the model even after being scrubbed from git history: a follow-up found that 64% of valid secrets from 2022 remained active and exploitable in 2026 because nobody had rotated them. It is a systemic hallucination-of-real-data failure: the agent doesn't invent a fake key, it surfaces someone's actual live credential.
Which AI agent caused this failure? ▾
Github-copilot was responsible for this security vulnerability incident, documented as STUPID-2026-0047 in the StupidLLM AI agent incident database.
How severe was this AI agent failure? ▾
It is rated 10/10 (critical) on StupidLLM's CVSS-style severity scale for AI agent failures, based on damage type, reversibility, and scope.
What was the root cause? ▾
The root cause was classified as training data gap. Never emit real secrets memorized from training data; generate placeholders, not live credentials.
What was the impact or damage? ▾
Real, live credentials surfaced in autocomplete and persisted in the model even after removal from git history — one study found 64% of valid secrets from 2022 were still active and exploitable in 2026, unrotated.
Related github-copilot Incidents
Copilot autocompleted AWS credentials into public repository
CamoLeak: hidden prompt injection turned GitHub Copilot Chat into a silent code/secret exfiltration channel (CVSS 9.6)
Rule Files Backdoor: hidden Unicode in config files made Copilot and Cursor emit malicious code