1. Hardcoded Secrets and API Keys

AI coding assistants are optimized to quickly output code that works. In the process, example API keys, test DB credentials, and sample JWT secrets often remain directly in the code.

We saw a similar case in a Red Team project by ENKI Whitehat. Inside a corporate repository, they found an exposed API_KEY and system credentials that were then used to spread laterally inside the network. This links back to Supply Chain Attacks, the #2 risk in our 'Top 5 Attack Routes Used by White Hat Hackers'. A single token left in a repo can become the key to taking over the entire build pipeline.

Global studies show that commits with AI assistance leak secrets at about twice the rate of commits written solely by humans (Apiiro — 4x Velocity, 10x Vulnerabilities). In 2025 alone, the volume of newly exposed secrets on public GitHub has continued to rise. (GitGuardian — State of Secrets Sprawl 2026)

To address these risks, organizations can implement the following measures.

Mitigation measures

• Regularly run secret scanners (gitleaks, trufflehog, etc.) across the entire Git history.

• Move files like .env or secrets.yaml to a secrets manager (AWS Secrets Manager, HashiCorp Vault, etc.).

• Enable "Hardcoded Credentials" rules in the Static Application Security Testing (SAST) pipeline.

• Revoke and rotate any credentials or API keys that have been publicly exposed to repositories.

• Use pre-commit hooks to block sensitive strings from being committed in the first place.

2. Outdated Libraries and Dependencies

AI coding assistants tend to recommend library versions based on their training cutoff date. Developers who accept these suggestions unquestioningly may end up with versions in package.json or requirements.txt that are months or a year old. This is a primary driver of 1-day vulnerabilities, the #4 risk in the Top 5 Attack Routes. These are flaws with existing patches and CVEs, yet our team remains unpatched. In a previous Red Team exercise, we found a SaaS product’s AI-generated template that defaulted to an authentication library with known CVEs.

Mitigation measures

• Generate a Software Bill of Materials (SBOM) to gain visibility into which versions are being deployed.

• Include npm audit, pip-audit, or osv-scanner as standard routines in your CI pipeline.

• Utilize automated update tools such as Dependabot or Renovate.

• Manually verify dependency versions suggested by AI assistants during the code review process.

Additionally, supply chain attacks targeting the npm and PyPI ecosystems are on the rise. Malicious packages with names mimicking legitimate ones, and malicious updates via compromised maintainer accounts, are reported continuously. In a recent TeamPCP Supply Chain Attack case, attackers abused a chain of stolen CI/CD tokens and open-source updates to exploit automated development environments. Therefore, automated update tools should be used inside a process that verifies package trust and changes rather than applying "auto-merges" blindly.

3. Incomplete Authentication and Authorization

AI-generated authentication and authorization code works well for standard cases. It produces clean code for logins, token issuing, and basic role checks. The problem lies in edge cases. Patterns frequently identified by ENKI Whitehat through OFFen PTaaS include:

• Endpoints accessible with revoked tokens due to missing JWT expiration validation logic.

• Insecure Direct Object Reference (IDOR): routes leaking other users' data by simply changing an object ID.

• Cases where permission checks are applied strictly on the frontend but bypassed on backend routes.

• Admin APIs and standard user APIs sharing the same handler with missing conditional routing.

This is an area where automated tools particularly struggle. Since authorization calls are present in code but not enforced at runtime, SAST often misses them. DAST also struggles to run unauthorized request scenarios, like changing object IDs or bypassing frontend controls to hit the server directly. It is an area that must be examined through an attacker's eyes to be detected.

Mitigation measures

• Make authentication and authorization logic a mandatory code review checklist item. You must manually verify if unauthorized requests are blocked.

• Check if newly added APIs or routes are exposed without authorization, as AI-generated code might miss permission checks or leave test endpoints behind.

• Validate that auth logic works as intended with unit and integration tests prior to deployment. Test abnormal scenarios like unauthenticated access and cross-user requests.

• Repeatedly run automated pentesting scenarios to ensure newly added APIs or modified authorization logic do not reintroduce identical issues.

• Validate edge cases using external PTaaS at least once a quarter or when auth systems change. Patterns like IDOR or auth bypass must be manually checked from an attacker's perspective.