{"id":179898,"date":"2026-01-20T05:45:00","date_gmt":"2026-01-20T10:45:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/20\/why-secrets-in-javascript-bundles-are-still-being-missed\/"},"modified":"2026-01-20T06:55:09","modified_gmt":"2026-01-20T11:55:09","slug":"why-secrets-in-javascript-bundles-are-still-being-missed","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/20\/why-secrets-in-javascript-bundles-are-still-being-missed\/","title":{"rendered":"Why Secrets in JavaScript Bundles are Still Being Missed"},"content":{"rendered":"

Why Secrets in JavaScript Bundles are Still Being Missed<\/a><\/p>\n

https:\/\/thehackernews.com\/2026\/01\/why-secrets-in-javascript-bundles-are.html<\/a><\/p>\n

Publish Date: 2026-01-20 05:45:00<\/a><\/p>\n

Source Domain: thehackernews.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points.
\nLeaked API keys are no longer unusual, nor are the breaches that follow. So why are sensitive tokens still being so easily exposed?
\nTo find out, Intruder’s research team looked at what traditional vulnerability scanners actually cover and built a new secrets detection method to address gaps in existing approaches.
\nApplying this at scale by scanning 5 million applications revealed over 42,000 exposed tokens across 334 secret types, exposing a major class of leaked secrets that is not being handled well by existing tooling, particularly in single-page applications (SPAs).
\nIn this article, we break down existing secrets detection methods and reveal what we found when we scanned millions of applications for secrets hidden in JavaScript bundles.
\nEstablished secrets detection methods (and their limitations)
\nTraditional secrets detection
\nThe traditional, fully automated approach to detecting application secrets is to search a set of known paths and apply regular expressions to match known secret formats.
\nWhile this method is useful and can catch some exposures, it has clear limitations and will not detect all types of leaks, particularly those that require the scanner to spider the application or authenticate.
\nA good example of this is Nuclei’s GitLab personal access token template. The scanner is fed a base URL, for example, https:\/\/portal.intruder.io\/, causing the template to:<\/p>\n

Make an HTTP GET request to https:\/\/portal.intruder.io\/
\nInspect the direct response to that single request, ignoring other pages and resources such as JavaScript files
\nAttempt to identify the pattern of a GitLab personal access token
\nIf found, make a follow-up request to GitLab’s public API to check whether the token is active
\nIf active, raise an issue<\/p>\n

This is clearly a simple example, but this approach is effective. Especially so when templates define many paths where secrets are commonly exposed.
\nThis format is typical of infrastructure scanners, which do not typically run a headless browser. When the scanner is given the base URL to scan (for example, https:\/\/portal.intruder.io), subsequent requests that would be made by a browser (such as the JavaScript files required to render the page, e.g., https:\/\/portal.intruder.io\/assets\/index-DzChsIZu.js) will not be made using this old-school approach. <\/p>\n

Dynamic Application Security Testing (DAST)
\nDynamic Application Security Testing (DAST) tools are generally a more robust way to scan applications, and tend to have more complex functionality, allowing for full spidering of applications, support for authentication, and a wider capability at detecting application layer weaknesses. Indeed, DAST scanners may seem the natural option for secrets detection in application front-ends. There should be nothing holding back a DAST scanner from discovering available JavaScript files or scanning for secrets within them.
\nHowever, this type of scanning is more expensive, requires in-depth configuration, and in reality is usually reserved for a small number of high-value applications. For example, you are unlikely to configure a DAST scanner for every application you have out there across a wide digital estate. Plus, many DAST tools do not implement a wide enough range of regular expressions compared to well-known command-line tools.
\nThis leaves a clear gap which should be covered by the traditional infrastructure scanner, but isn’t – and in all likelihood is also not being covered by DAST scanners because of deployment, budget, and maintenance limitations.
\nStatic Application Security Testing (SAST)
\nStatic Application Security Testing (SAST) tools analyze source code to identify vulnerabilities and are a primary way to detect secrets before code reaches production. They are effective at catching hardcoded credentials and preventing some classes of exposure.
\nHowever, we found that SAST methods also do not cover the full picture – and once again, some secrets within JavaScript bundles slipped through the gaps in a way that static analysis would miss.
\nBuilding a secrets detection check for JavaScript bundles
\nWhen we started this research, it was not clear how common this problem would be. Are secrets actually being bundled into JavaScript front-ends, and is it widespread enough to justify an automated approach?
\nTo find out, we built an automated check and scanned approximately 5 million applications. The result was a large number of exposures, significantly more than we expected. The output file alone was over 100MB of plain text and contained more than 42,000 tokens across 334 different secret types.
\nWe did not fully triage every result, but among the samples we reviewed, we identified a number of high-impact exposures.<\/p>\n

What we found
\nCode Repository Tokens
\nThe most impactful exposures we identified were tokens for code repository platforms such as GitHub and GitLab. In total, we found 688 tokens, many of which were still active and gave full access to repositories.
\nIn one case, shown below, a GitLab personal access token was embedded directly in a JavaScript file. The token was scoped to allow access to all private repositories within the organization, including CI\/CD pipeline secrets for onward services such as AWS and SSH.<\/p>\n

Project Management API Keys
\nAnother significant exposure involved an API key for Linear, a project management application, embedded directly in front-end code:<\/p>\n

The token exposed the organization’s entire Linear instance, including internal tickets, projects, and links to downstream services and SaaS projects.
\nAnd more
\nWe identified exposed secrets across a wide range of other services, including:
\nCAD software APIs \u2013 access to user data, project metadata, and building designs, including a hospital
\nLink shorteners \u2013 ability to create and enumerate links
\nEmail platforms \u2013 access to mailing lists, campaigns, and subscriber data
\nWebhooks for chat and automation platforms \u2013 213 Slack, 2 Microsoft Teams, 1 Discord, and 98 Zapier, all of them active
\nPDF converters \u2013 access to third-party document generation tools
\nSales intelligence and analytics platforms \u2013 access to scraped company and contact data
\nDon’t ship your secrets
\nShift-left controls matter. SAST, repository scanning, and IDE guardrails catch real issues and prevent entire classes of exposure. But as this research shows, they do not cover every path a secret can take into production.
\nSecrets introduced during build and deployment can bypass those safeguards and end up in front-end code, long after the point where shift-left controls have already run. And this problem will only grow as automation and AI-generated code become more common.
\nThat’s why single-page application spidering is needed to catch secrets before they reach production. We’ve built automated SPA secrets detection into Intruder so teams can actually catch this. Learn more.<\/p>\n

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Why Secrets in JavaScript Bundles are Still Being Missed https:\/\/thehackernews.com\/2026\/01\/why-secrets-in-javascript-bundles-are.html Publish Date: 2026-01-20 05:45:00 Source…<\/p>\n","protected":false},"author":1,"featured_media":179899,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEieV5wPGUwZgsm79ntLb9Sz_6xAPAV54CQ1SztbNfpLe-ovKEkTrCsLBRsD52c87yFiByHZGandN1pYNNBn1OLUpc5iEFJnGP0YRn_WWeWod1xxQUNhjlD1vFMh-4EI2fq06Gt86H_U7rX7FBjhLoXrhtzQKqjLRa3X6c7W86BFrR5xfDX80ve6UDs4zU8\/s900-e365\/main.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,27],"class_list":["post-179898","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/179898"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=179898"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/179898\/revisions"}],"predecessor-version":[{"id":179900,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/179898\/revisions\/179900"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/179899"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=179898"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=179898"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=179898"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}