Leaked API keys are nothing new, but the scale of the problem in front-end code has been largely a mystery - until now. Intruder’s research team built a new secrets detection method and scanned 5 million applications specifically looking for secrets hidden in JavaScript bundles.
What we found revealed a massive gap in how the industry secures single-page applications.
42,000 secrets hidden in plain sight
The results of applying our new detection method at scale were staggering. The output file alone was over 100MB of plain text, containing more than 42,000 exposed tokens across 334 different secret types.
These weren't just low-value test keys or dead tokens. We found active, critical credentials sitting in production code, effectively bypassing the security controls most organizations rely on.
Here is a breakdown of the most critical risks we uncovered.
Find The Secrets Hiding In Your JavaScript Bundles Standard tools scan your repositories, but they often miss what gets baked into your build. Intruder inspects your JavaScript bundles to uncover the API keys and credentials hiding in plain sight—finding them before hackers do. Book a Demo
Code Repository Tokens
The most impactful exposures were tokens for code repository platforms such as GitHub and GitLab. In total, we found 688 tokens, many of which were still active and gave full access to repositories.
In one case (shown below) a GitLab personal access token was embedded directly in a JavaScript file. The token was scoped to allow access to all private repositories within the organization, including CI/CD pipeline secrets for onward services such as AWS and SSH.
... continue reading