Your AI Just Hardcoded Your Stripe Key. Here's Why It Keeps Happening.

TL;DR AI code generators embed live secrets directly in source files more often than you'd expect The pattern comes from training data full of tutorials where authors hardcoded values for simplicity The fix is a single env var lookup, but you need a scanner to catch it before it reaches git history I was doing a code review last week when I spotted it. Buried three files deep in a side project: a real Stripe live key, hardcoded directly into the payment service. The AI had generated it that way, the developer hadn't noticed, and it had already been committed twice. Not a test key. Not a placeholder. An actual live key that could drain an account. This isn't rare. I've started checking for hardcoded secrets as a reflex whenever I see AI-generated backend code. It shows up in roughly a third of the projects I look at - Stripe keys, OpenAI API tokens, database passwords, JWT signing secrets. The AI fills in the slot where it thinks a value goes, and the training data is full of tutorials