Your AI Agent Is Holding Your Passwords. That Should Terrify You.
In August 2025, attackers used a single compromised AI chat agent at Salesloft to steal OAuth tokens and drain Salesforce CRM data from hundreds of companies. Obsidian Security called it 10x more damaging than initially reported. The attack vector wasn't a zero-day exploit. It wasn't a nation-state hacking team with unlimited resources. It was an AI agent sitting on a live website with OAuth tokens baked into its integration, doing exactly what it was designed to do, just for the wrong people. That's the credential handling problem nobody in the AI agent space wants to talk about honestly. We're building autonomous systems that act on our behalf, giving them the keys to everything we own, and then being shocked when someone figures out how to make those agents act on their behalf instead. The computer use era isn't just about what AI agents can do. It's about what they can be made to do.
28.65 Million Secrets. One Year. Thanks, AI.
GitGuardian's State of Secrets Sprawl 2026 report dropped a number that should have been front-page news: 28.65 million new hardcoded secrets were added to public GitHub commits in 2025 alone. That's a 34% increase year over year. The report is explicit about the cause. AI agents don't hardcode credentials once like a careless human developer does. They do it over and over, at machine speed, across every project they touch. GitHub Copilot adoption rose 27% between 2023 and 2024, and secret leaks spiked 40% in the same window. That's not a coincidence. That's causation wearing a hoodie and calling itself productivity. And here's what makes this uniquely bad for computer use agents specifically. A traditional software vulnerability leaks a credential in code. A computer use agent, one that's actually operating a real desktop or browser session, doesn't just leak credentials. It uses them, in real time, while a prompt injection attack or a compromised context window quietly redirects where it's sending the results. The attack surface isn't a file in a repo. It's every website the agent visits, every form it fills out, every API it calls.
The Four Ways AI Agents Are Getting Your Credentials Stolen Right Now
- ●Hardcoded secrets at machine scale: AI coding agents embed API keys and passwords into generated code at a rate no human developer could match. Private repos have 6x the hardcoded secret density of public ones, meaning the stuff you think is safe is actually the most exposed.
- ●Prompt injection via the browser: Palo Alto's Unit 42 documented nine concrete attack scenarios where malicious web content hijacks a computer-using AI mid-task. The agent reads a poisoned page, gets new instructions, and starts exfiltrating credentials it was already holding. Brave Security demonstrated this live against Perplexity's Comet agent in August 2025.
- ●OAuth token sprawl: The Salesloft breach happened because Drift's AI agent used individual OAuth tokens per user with no rotation, no anomaly detection, and no kill switch. Once attackers had one token, the architecture handed them the rest. Google's Threat Intelligence Group confirmed the scope was massive.
- ●Claude Code reading .env files: A Reddit thread in June 2025 blew up when users discovered Claude Code reads .env files by default and sends their contents, including API keys and passwords, to Anthropic's servers. The response from Anthropic was essentially 'well, don't put secrets there.' In 2026. Telling developers not to use .env files.
- ●Shared credentials across agent swarms: According to 1Password's enterprise research, most companies deploying multi-agent systems give every agent in the swarm the same shared credentials because nobody has figured out per-agent identity yet. One compromised agent means every agent is compromised.
"AI agents don't hardcode credentials once like a careless developer. They do it over and over, at machine speed and scale." And in 2025, that added up to 28.65 million exposed secrets in public GitHub alone. The private repos are worse.
Anthropic and OpenAI Both Have a Credential Problem They're Downplaying
Let's be direct about this. Anthropic's computer use implementation and OpenAI's Operator both handle credential passing in ways that should make any security-conscious engineer uncomfortable. WorkOS published a detailed breakdown in February 2025 noting that both systems rely heavily on screenshot-based session management, which means credentials typed into forms exist in screenshot buffers, in context windows, and potentially in training pipelines depending on your agreement terms. OpenAI Operator, when it launched in January 2025, required users to literally type their passwords into web forms while the agent watched and acted. The documentation acknowledged this was a trust issue and suggested users should 'review actions before sensitive operations.' That's not a security model. That's a disclaimer. Anthropic's computer use agent has the same fundamental architecture. It sees your screen. It sees your passwords as you type them or as it types them. The context window holding that session data is, depending on how you've deployed it, not yours alone. An arXiv paper from May 2025 titled 'The Hidden Dangers of Browsing AI Agents' specifically called out both Operator and Anthropic Computer Use for creating novel attack surfaces that traditional web security assumptions don't account for. The researchers weren't being alarmist. They were describing what's already happening.
The Prompt Injection Problem Is Worse Than Anyone Admits
Prompt injection is now the most common AI exploit of 2025, according to Obsidian Security's threat research. And for computer use agents, it's uniquely dangerous because the agent is already authenticated. It already has your credentials. It's already inside your systems. A traditional prompt injection attack might make a chatbot say something embarrassing. A prompt injection attack against a computer use agent that's logged into your AWS console, your Salesforce instance, and your internal HR system is a different category of problem entirely. Docker's security team published an MCP horror story in August 2025 where a GitHub prompt injection turned an AI assistant into a data exfiltration tool mid-task. The agent was doing legitimate work, hit a poisoned repository, and started sending private data to an external endpoint. The user had no idea until the logs showed it. A 661% surge in hacked-as-a-service operations targeting AI agent identities was documented in Constella Intelligence's 2026 Identity Breach Report. That number deserves to be read twice. Six hundred sixty-one percent. Attackers aren't scared of AI agents. They're excited about them.
Why Coasty Takes This Differently
I'm not going to pretend every computer use agent is equally reckless here, because they're not. The reason Coasty sits at 82% on OSWorld, the highest score of any computer use agent on the market, isn't just that it's better at clicking buttons. It's that the architecture was built around the reality that a computer use agent operating real desktops and real browsers is a high-privilege system that needs to be treated like one. Coasty runs tasks in isolated cloud VMs, which means your credential context doesn't bleed between sessions or between users. There's no shared credential pool in an agent swarm. Each execution environment is clean. When you bring your own keys via BYOK, those keys stay yours, they don't sit in a shared inference pipeline. The agent swarm architecture for parallel execution is built so that individual agents have scoped permissions, not blanket access to everything the orchestrator can touch. Is this a solved problem? No. Nobody has fully solved agentic credential security yet. But there's a meaningful difference between a tool built by people who thought hard about this from day one and a tool where credential handling was retrofitted after the first breach headlines. Coasty's benchmark performance isn't separate from its security posture. Both come from the same thing: actually building the infrastructure correctly instead of shipping fast and apologizing later. Try it at coasty.ai, there's a free tier, and BYOK means you're not handing your keys to anyone.
Here's where I land on this. The credential handling problem in AI agents isn't a niche security concern for enterprise IT teams. It's the central question of whether agentic AI can actually be trusted with real work. Right now, most computer use agents are operating like it's still the chatbot era, where the worst case was a bad output, not a bad actor walking out with your OAuth tokens and your customer data. The Salesloft breach was the warning shot. The 28.65 million leaked secrets are the ongoing siege. And the 661% surge in AI-targeted identity attacks means the attackers have already figured out that computer-using AI is the new perimeter. If you're evaluating computer use agents for real work, real credentials, and real systems, the question isn't just 'can it do the task?' The question is 'what happens when something goes wrong?' Demand isolated execution environments. Demand per-agent scoped credentials. Demand BYOK. Demand transparency about what's in the context window and where it goes. The tools that can answer those questions confidently are the ones worth using. The ones that can't are the ones that will be in the next breach headline. Start with the one that's already thought about this. coasty.ai.