Listen to this Post
Introduction: A Growing Cybersecurity Crisis Hidden in Plain Sight
Leaked API keys and secret tokens are no longer rare accidents. They have become a recurring and dangerous trend across the modern internet. Despite years of warnings from security experts, sensitive credentials continue to appear in publicly accessible applications, exposing organizations to catastrophic breaches.
New research from Intruder reveals just how severe the problem has become. By scanning nearly five million applications, their team uncovered more than 42,000 exposed secrets across 334 different token types. Many of these credentials were still active, granting attackers direct access to corporate systems, cloud services, and private data repositories.
This investigation exposes a fundamental failure in how organizations detect and prevent secret leaks, particularly in single-page applications (SPAs) where JavaScript bundles quietly ship sensitive data straight to the public internet.
Original Summary
Why Exposed API Keys Are Still Happening
Leaked tokens have become routine, yet breaches continue to follow them. Intruder’s research team set out to understand why traditional scanners fail to catch these secrets. Their focus was on what standard tools actually detect and where the blind spots exist.
Traditional Secrets Detection: Old Tools, Big Limitations
Most vulnerability scanners rely on predefined paths and regular expressions to detect known secret formats. While effective for obvious cases, they fail to discover leaks hidden deeper in applications.
A classic example is Nuclei’s GitLab token scanner. It only checks a single page response, ignoring JavaScript files and secondary resources. This means sensitive tokens embedded inside front-end scripts remain invisible to the scanner.
Infrastructure Scanners Miss JavaScript Files
Traditional scanners don’t operate like browsers. They don’t load supporting assets such as JavaScript bundles. This creates a massive blind spot, especially for modern web apps built entirely on front-end frameworks.
DAST Tools: Powerful but Rarely Deployed
Dynamic Application Security Testing tools offer deeper scanning. They can spider entire applications and authenticate into protected areas.
However, they are expensive, complex to configure, and typically reserved for high-value systems. Most companies don’t run DAST scans across their entire digital footprint, leaving countless applications unchecked.
SAST Tools: Helpful but Incomplete
Static code analysis tools are excellent at catching hardcoded secrets before deployment. But they fail when secrets are introduced during build processes or injected later in pipelines.
This allows credentials to slip into production unnoticed, especially within compiled JavaScript bundles.
Scanning 5 Million Apps: Shocking Results
Intruder built a custom detection engine and scanned approximately five million applications. The output was staggering:
Over 42,000 exposed tokens
Across 334 different secret types
Output data exceeding 100MB
Many tokens were still active and exploitable.
High-Risk Discoveries
The researchers identified multiple critical exposures:
688 GitHub and GitLab tokens, many granting full repository access
One token provided complete access to private repos and CI/CD secrets
An exposed Linear API key revealed internal project data
Slack, Teams, Discord, and Zapier webhooks were publicly accessible
Email platforms exposed mailing lists and subscriber data
CAD software APIs exposed architectural designs, including a hospital
PDF converters allowed third-party document access
Sales intelligence platforms leaked scraped business data
The Root Cause
Secrets are leaking after traditional security controls run. Build pipelines, automation, and AI-generated code introduce credentials at later stages.
This makes traditional “shift-left” security insufficient on its own.
The Solution
Intruder implemented automated SPA scanning to detect secrets inside JavaScript bundles before production deployment. This approach finally closes the visibility gap.
What Undercode Says:
The Industry’s Dirty Secret
The cybersecurity industry has known about API key leaks for years. Yet organizations continue repeating the same mistakes. This isn’t a technical failure. It’s an operational failure.
Companies rely too heavily on outdated scanning models built for 2012-era websites, not 2026-era JavaScript frameworks.
Modern Apps Are Built to Leak
Single-page applications bundle everything into massive JavaScript files. Developers unknowingly embed credentials during build processes. Once deployed, those secrets are publicly downloadable by anyone.
Security teams rarely inspect compiled front-end code, assuming SAST already covered it. That assumption is dangerously wrong.
Why Traditional Scanners Are Obsolete
Infrastructure scanners don’t simulate real browsers. They don’t execute JavaScript. They don’t load assets.
This creates a false sense of security. Companies think they’re protected because scans come back clean, while secrets sit exposed in /assets/main.js.
DAST Is Not a Silver Bullet
DAST tools are powerful, but only when used correctly. Most companies deploy them on flagship apps only.
Your forgotten internal dashboard? Untested.
Your regional marketing portal? Untested.
Your temporary campaign site? Untested.
Attackers don’t care about your “priority list.”
SAST Fails in CI/CD Pipelines
Build-time secrets injection is now standard practice. Tokens pulled from environment variables end up embedded in front-end bundles.
Once that happens, SAST has already finished its job. The secret slips through.
This Problem Will Get Worse
AI code generation is accelerating this crisis. Developers copy-paste snippets containing credentials. Automation pipelines inject secrets dynamically.
Security teams can’t manually audit millions of lines of generated code.
The Real Risk: Supply Chain Attacks
Exposed GitHub and GitLab tokens aren’t just data leaks. They enable supply chain attacks.
Attackers can:
Modify source code
Inject malware into updates
Steal CI/CD secrets
Pivot into cloud infrastructure
This turns a simple leak into a company-wide breach.
Why Front-End Security Is Ignored
Security teams traditionally focus on servers. Front-end code is treated as “harmless.”
That mindset is outdated. JavaScript now controls authentication, APIs, and business logic.
Attackers Are Already Exploiting This
Threat actors actively scan JavaScript bundles for secrets. This is automated, fast, and profitable.
Once a token is found, it’s tested within seconds. If active, exploitation begins immediately.
Why Organizations Still Fail
Lack of ownership between dev and security teams
Overconfidence in existing tools
Budget constraints for DAST deployment
No visibility into front-end code risks
This is a governance problem, not a tooling problem.
The Only Real Solution
SPA spidering must become standard.
JavaScript bundle scanning must be automated.
Secrets detection must happen continuously, not annually.
Security programs that ignore front-end code are already obsolete.
Regulatory Fallout Is Coming
As breaches increase, regulators will target negligent secret handling. Companies exposing credentials publicly will face compliance penalties, lawsuits, and reputational collapse.
This Is the New Perimeter
Your front-end is now your attack surface.
Ignore it, and attackers won’t.
🔍 Fact Checker Results
✅ Intruder confirmed scanning 5 million applications and finding 42,000 exposed secrets
✅ GitHub, GitLab, Slack, and Linear token exposures were documented
❌ No evidence suggests most organizations are currently scanning SPA bundles effectively
📊 Prediction
🔮 JavaScript bundle scanning will become mandatory in enterprise security programs
🔮 Regulatory bodies will fine companies for exposed credentials
🔮 AI-generated code will double secret leakage incidents within two years
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.pinterest.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
