CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Exposed Secrets in JavaScript Bundles Across Millions of Applications

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A study by Intruder's research team revealed that over 42,000 exposed tokens across 334 secret types were found in 5 million scanned applications. These tokens, often missed by traditional vulnerability scanners, pose significant security risks, including unauthorized access to code repositories, project management tools, and other sensitive services. The research highlights the limitations of existing secrets detection methods and underscores the need for more comprehensive scanning techniques. The exposed tokens included 688 GitHub and GitLab personal access tokens, many of which were still active and gave full access to repositories. An API key for Linear, a project management application, was also found embedded directly in front-end code, exposing the organization’s entire Linear instance. Additionally, exposed secrets were found across a wide range of other services, including CAD software APIs, email platforms, webhooks for chat and automation platforms, PDF converters, sales intelligence and analytics platforms, and link shorteners. The findings underscore the need for more comprehensive scanning techniques to prevent such exposures.

Timeline

  1. 20.01.2026 12:45 2 articles · 28d ago

    Intruder's Research Reveals 42,000 Exposed Tokens in JavaScript Bundles

    Intruder's research team scanned 5 million applications and discovered over 42,000 exposed tokens across 334 secret types. These tokens, often missed by traditional vulnerability scanners, include GitHub and GitLab personal access tokens, Linear API keys, and other sensitive credentials. The findings underscore the need for more comprehensive scanning techniques to prevent such exposures. The exposed tokens included 688 GitHub and GitLab personal access tokens, many of which were still active and gave full access to repositories. An API key for Linear, a project management application, was also found embedded directly in front-end code, exposing the organization’s entire Linear instance. Additionally, exposed secrets were found across a wide range of other services, including CAD software APIs, email platforms, webhooks for chat and automation platforms, PDF converters, sales intelligence and analytics platforms, and link shorteners.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical Redis Lua Use-After-Free Vulnerability Exploitable for Remote Code Execution

A critical vulnerability in Redis, tracked as CVE-2025-49844 and dubbed "RediShell", allows authenticated attackers to achieve remote code execution on vulnerable instances. The flaw, a 13-year-old use-after-free weakness in the Redis Lua scripting engine, affects all versions of Redis and can be exploited to gain full access to the host system. Successful exploitation can lead to data exfiltration, encryption, or lateral movement within cloud environments. The vulnerability impacts approximately 330,000 exposed Redis instances, with around 60,000 of them not requiring authentication. Patches have been released in versions 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2, and administrators are urged to update their instances immediately. Additional patches have been released for versions 7.22.2-12, 7.8.6-207, 7.4.6-272, 7.2.4-138, and 6.4.2-131. Temporary workarounds include setting an access control list (ACL) to restrict EVAL and EVALSHA commands. The vulnerability was discovered and reported by cloud security company Wiz on May 16, 2025. The flaw was jointly disclosed by Redis and Wiz on October 3, 2025. There is no evidence that the vulnerability was exploited in the wild. The flaw exploits a use-after-free (UAF) memory corruption bug, allowing attackers to escape the Lua sandbox and achieve arbitrary code execution. Wiz recommended implementing Redis authentication and network access controls, and urged organizations to prioritize patching Redis instances exposed to the Internet.

Open in new tab

GhostAction GitHub supply chain attack steals 3,325 secrets

The GhostAction supply chain attack compromised 3,325 secrets from GitHub repositories. The attack, discovered by GitGuardian on September 2, 2025, involved malicious commits to GitHub Actions workflows that exfiltrated secrets to an external domain. The first signs of compromise were detected in the FastUUID project. The attack affected at least 817 repositories and targeted multiple package ecosystems, including PyPI, npm, DockerHub, and AWS keys. The exfiltration endpoint was taken down shortly after the campaign's discovery. The compromised secrets included PyPI tokens, npm tokens, DockerHub tokens, GitHub tokens, Cloudflare API tokens, AWS access keys, and database credentials. The attack impacted at least nine npm and 15 PyPI packages, potentially allowing for the release of malicious or trojanized versions. The Python Software Foundation invalidated all PyPI tokens stolen in the attack, confirming that the threat actors did not abuse them to publish malware. GitGuardian notified the security teams of GitHub, npm, and PyPI and opened issues in 573 impacted repositories. A hundred repositories had already detected and reverted the malicious changes before the full scope of the campaign was uncovered. GitGuardian notified PyPI on September 5, 2025, but the email ended up in the spam folder, delaying the response until September 10, 2025. PyPI advised maintainers to replace long-lived tokens with short-lived Trusted Publishers tokens and review their security history for any suspicious activity.

Open in new tab

WeepSteel Malware Deployed via Sitecore Zero-Day Exploit

Threat actors have exploited a zero-day vulnerability in Sitecore Experience Manager (XM) and Experience Platform (XP) to deliver WeepSteel malware. The flaw, tracked as CVE-2025-53690, affects versions prior to 9.0 and was exploited using a sample machine key from outdated deployment guides. The attack involved ViewState deserialization, internal reconnaissance, and the deployment of various open-source tools for persistence and lateral movement. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch the vulnerability by September 25, 2025. The vulnerability has a CVSS score of 9.0, indicating critical severity. The China-linked threat group Ink Dragon has been observed turning misconfigured servers in European government networks into relay nodes to hide its cyber-espionage activity. Ink Dragon probes public-facing websites for weaknesses, including configuration issues in Microsoft's IIS web server and SharePoint. Once a foothold is established, the group moves quietly through the environment, collecting credentials and using Remote Desktop for lateral movement. Ink Dragon maps the environment in detail, controls policy settings, and deploys long-term access tools across high-value systems. The group uses compromised organizations to support operations elsewhere, deploying a customized IIS-based module to turn public-facing servers into relay points. Ink Dragon has updated its tooling, including a new version of the FinalDraft backdoor built for long-term access and to blend into Microsoft cloud activity. A second China-linked group, RudePanda, has entered some of the same European government networks and exploited the same exposed server vulnerability. A threat actor likely aligned with China, tracked as UAT-8837, has been targeting critical infrastructure sectors in North America since at least last year. UAT-8837 is primarily tasked with obtaining initial access to high-value organizations. The group deploys open-source tools to harvest sensitive information such as credentials, security configurations, and domain and Active Directory (AD) information. UAT-8837 exploits a critical zero-day vulnerability in Sitecore (CVE-2025-53690, CVSS score: 9.0) to obtain initial access. The group disables RestrictedAdmin for Remote Desktop Protocol (RDP) to ensure credentials and other user resources aren't exposed to compromised remote hosts. UAT-8837 downloads several artifacts including GoTokenTheft, EarthWorm, DWAgent, SharpHound, Impacket, GoExec, Rubeus, and Certipy to enable post-exploitation. The group exfiltrated DLL-based shared libraries related to the victim's products, raising the possibility of future trojanization and supply chain compromises.

Open in new tab

Malicious nx Packages Exfiltrate Credentials in 's1ngularity' Supply Chain Attack

The Shai-Hulud worm, a self-replicating malware that initially compromised 187 npm packages in mid-September 2025, has evolved into a broader supply chain threat, exposing over 400,000 developer secrets across 30,000 GitHub repositories. The latest development reveals that NPM's post-Shai-Hulud defenses, including the '--ignore-scripts' flag, can be bypassed via Git dependencies through vulnerabilities collectively named *PackageGate*. These flaws allow malicious '.npmrc' files to override the git binary path, enabling full code execution even when script execution is disabled. While Bun, pnpm, and vlt patched their respective vulnerabilities, NPM rejected the report, citing user responsibility for vetting packages. Proof-of-concept exploits demonstrate the practical risk, with reverse shells already observed in the wild. The attack initially spread by injecting malicious scripts into npm packages, using TruffleHog to scan for and exfiltrate credentials, and creating unauthorized GitHub Actions workflows. A second wave, *Sha1-Hulud*, expanded the attack to over 800 packages, introducing a preinstall script (setup_bun.js) that leveraged the Bun runtime to evade detection. This variant also included a destructive wiper mechanism targeting victims' home directories if persistence failed. The malware's self-replicating nature allowed it to cascade through maintainer accounts, compromising downstream projects at scale. GitHub and security firms like Wiz and GitGuardian have urged developers to rotate credentials, audit dependencies, and harden CI/CD environments, but the newly disclosed PackageGate vulnerabilities underscore ongoing risks in the npm ecosystem.

Open in new tab

GitHub Risk Vectors in Software Development Life Cycle

GitHub has become integral to modern software development, but its extensive use introduces numerous risk vectors across the software development life cycle (SDLC). These vectors create blind spots that attackers exploit, as seen in incidents like the tj-actions GitHub Action and XZ Utils compromises. Organizations often overlook these risks while focusing on dependency scanning. The following vectors are identified: dependency management, container builds, Kubernetes deployments, configuration management, CI/CD automation, code organization, infrastructure provisioning, build tools, developer workflows, and cross-repository triggers. These vectors highlight the need for comprehensive supply chain governance and proactive security measures to protect against sophisticated supply chain attacks. Organizations must inventory all GitHub references, standardize on pinned immutable references, implement integrity verification, and develop secure internal alternatives for common external dependencies.

Open in new tab