Leaked MCP server config credentials — GitGuardian found 24,008 secrets in 2025

Updated

MCP server configs hold credentials for whatever external service the server fronts (GitHub, Notion, Linear, internal databases). When these configs land in public repos, the credentials are exposed. GitGuardian's 2025 sweep found 24,008 unique secrets in MCP-related GitHub configs; 2,117 (8.8%) were still valid at scan time.

The next 60 seconds matter

GitGuardian-class automated scanners index every public GitHub commit. The MCP config file pattern is well-known + the credential field shape is regular. Once a credential is found, blast radius depends on what the MCP server connects to: database access (read full schema + exfiltrate), GitHub (lateral move into the org), Notion (read internal docs), internal infra (persistent foothold).

  • Each leaked credential maps to a different downstream blast radius (database / SaaS / internal infra)
  • Lateral movement via shared OAuth scopes
  • Persistent foothold in MCP server's hosting environment
  • Pivot to credentials of any other MCP server installed on the same host

Rotation playbook

  1. Identify which credential leaked — open the MCP config file; cross-reference each field against your vendor list
  2. Revoke each leaked credential at its respective vendor console (GitHub PATs, Notion integration tokens, internal-API tokens)
  3. Remove the credentialed config from git history; rewrite history with `git filter-repo --path <config-path> --invert-paths`
  4. Rotate every credential in any MCP config on any developer's host with access to the affected repo
  5. Audit MCP server access logs (where available) for unauthorized use

Prevent the next one

  • Use OS keychain / credential manager — never plaintext config
  • MCP servers should accept env-var-only credentials; refuse plaintext-config patterns
  • Securie's mcp-guard crate validates that registered servers don't ship plaintext-credentialed configs
  • GitGuardian + secret_scanner pre-commit hooks catch the config-shape pattern before commit
  • Audit your `~/.config/claude-desktop/`, `~/.cursor/mcp.json`, `~/.continue/config.json` against `.gitignore` regularly
Pattern we scan for
JSON config under `~/.config/claude-desktop/`, `~/.cursor/mcp.json`, `~/.continue/config.json` — fields named apiKey / bearerToken / password / token