Large-scale secrets detection in JavaScript bundles reveals exposed tokens
Technical Analysis
Summary
Hide ▲
Show ▼
Large-scale scanning of 5 million applications exposed over 42,000 tokens hidden in JavaScript bundles, showing that existing secret-detection tooling misses a major leak surface in single-page applications (SPAs). The findings matter because leaked repository credentials, webhooks, and API keys can provide direct access to production systems and downstream services. The research also shows that SPA spidering is needed to close a detection gap left by common scanners.
Related Happenings
Single organization's private GitHub repository cloned after confirmed access
Data Leak
H score12
First: 09.07.2026 21:38
Last: 09.07.2026 21:38
Sources 1
About this happening:
**Confirmed access** to a **private GitHub repository** belonging to **one organization** marks a concrete **data exposure** and raises the risk of source-code or internal-content...
Single organization's private GitHub repository cloned after confirmed access
Data LeakAbout this happening: **Confirmed access** to a **private GitHub repository** belonging to **one organization** marks a concrete **data exposure** and raises the risk of source-code or internal-content...
GitHub data exposed after GitHub breach
Data Leak
H score35
First: 20.05.2026 11:14
Last: 20.05.2026 11:14
Sources 1
About this happening:
GitHub confirmed **exfiltration** of **internal repositories**, making private code and related content potentially available to outsiders. Attackers on the **Breached cybercrime...
GitHub data exposed after GitHub breach
Data LeakAbout this happening: GitHub confirmed **exfiltration** of **internal repositories**, making private code and related content potentially available to outsiders. Attackers on the **Breached cybercrime...
GitHub internal repositories private-code leak claim
Data Leak
H score46
First: 20.05.2026 08:08
Last: 20.05.2026 08:08
Sources 1
About this happening:
GitHub is facing a claimed leak of **internal repositories** after **TeamPCP** said it had access to about **4,000 private-code repos** and tried to sell samples. The alleged expo...
GitHub internal repositories private-code leak claim
Data LeakAbout this happening: GitHub is facing a claimed leak of **internal repositories** after **TeamPCP** said it had access to about **4,000 private-code repos** and tried to sell samples. The alleged expo...
Latest development: 21.05.2026 17:45
A malicious version of Nx Console 18.95.0 was uploaded to Visual Studio Marketplace and Open VSX on May 18, fetched an obfuscated payload, and harvested secrets from ~/.vault-token, /etc/vault/token, .npmrc, ghp_/gho_/ghs_ tokens, AWS metadata, and other local sources; GitHub said the poisoned VS Code extension led to unauthorized access to about 3800 internal repositories.
Shai-Hulud public GitHub repository credential exposure
Data Leak
H score26
First: 18.05.2026 20:28
Last: 18.05.2026 20:28
Sources 1
About this happening:
**Shai-Hulud** stole **developer credentials** that were later exposed in **public GitHub repositories**, turning a theft phase into a public leak of access data. The exposed mate...
Shai-Hulud public GitHub repository credential exposure
Data LeakAbout this happening: **Shai-Hulud** stole **developer credentials** that were later exposed in **public GitHub repositories**, turning a theft phase into a public leak of access data. The exposed mate...
Anthropic Claude Code source code leak from NPM release
Data Leak
H score18
First: 01.04.2026 03:32
Last: 01.04.2026 03:32
Sources 1
About this happening:
Anthropic **mistakenly exposed** proprietary **Claude Code** source code through a **NPM** release, allowing the codebase to be reconstructed and spread online. The leak involved...
Anthropic Claude Code source code leak from NPM release
Data LeakAbout this happening: Anthropic **mistakenly exposed** proprietary **Claude Code** source code through a **NPM** release, allowing the codebase to be reconstructed and spread online. The leak involved...
Latest development: 02.04.2026 23:30
Threat actors are using fake GitHub repositories to exploit the Claude Code source code leak and lure users searching for leaked Claude Code into downloading a 7-Zip archive that launches ClaudeCode_x64.exe and drops Vidar and GhostSocks; Zscaler says the bogus repository is SEO-optimized for Google Search queries like “leaked Claude Code.”
Timeline
-
20.01.2026 12:45 3 articles · 5mo ago
Intruder reports JavaScript bundle secrets detection findings
Technical Analysis UpdateIntruder describes a new secrets detection method aimed at gaps in traditional vulnerability scanners, DAST tools, and SAST workflows for single-page applications. The research scanned approximately 5 million applications and found over 42,000 exposed tokens across 334 secret types, including active code repository tokens and webhooks, showing that secrets embedded in JavaScript bundles can escape common defenses before production.
Show sources
- Why Secrets in JavaScript Bundles are Still Being Missed — thehackernews.com — 20.01.2026 12:45
- Why Secrets in JavaScript Bundles are Still Being Missed — thehackernews.com — 20.01.2026 12:45
- What 5 Million Apps Revealed About Secrets in JavaScript — www.bleepingcomputer.com — 17.02.2026 16:40