Let’s start with the big reveal of what we found:
- 3,938 total unique secrets across all projects
- 768 of those unique secrets were found to be valid
- 2,922 projects contained at least one unique secret
To put those numbers in perspective, there are over 450,000 projects released through the PyPI website, containing over 9.4 million files. There have been over 5 million released versions of these packages. If we add up all the secrets shared across all the releases, we found 56,866 occurrences of secrets, meaning once a secret enters a project, it is often included in multiple releases.