This threat centers on the persistent exposure of sensitive secrets, such as API keys and personal access tokens, embedded within JavaScript bundles of web applications, especially single-page applications (SPAs). Traditional vulnerability scanners typically operate by scanning known paths and applying regex patterns to detect secrets but often only inspect direct HTTP responses without fetching JavaScript resources or authenticating to explore deeper application layers. Dynamic Application Security Testing (DAST) tools, while more capable of spidering applications and handling authentication, are often underutilized due to cost and complexity, leaving many applications unscanned at this depth. Static Application Security Testing (SAST) tools analyze source code to catch hardcoded secrets before deployment but cannot detect secrets introduced during build or deployment phases that end up in bundled JavaScript. Intruder’s research team developed a new automated secrets detection method that scans JavaScript bundles dynamically and applied it to approximately 5 million applications, discovering over 42,000 exposed tokens across 334 secret types. Notably, many tokens for code repository platforms like GitHub and GitLab were found active, granting attackers access to private repositories and CI/CD pipelines, potentially leading to further compromise of cloud environments and internal systems. Other exposed secrets included API keys for project management tools, email platforms, chat automation webhooks, CAD software APIs, and sales intelligence platforms. These exposures arise because secrets can be introduced late in the development lifecycle, bypassing shift-left controls such as SAST and repository scanning. The research highlights the need for scanning approaches that include SPA spidering and JavaScript bundle analysis to detect secrets before production deployment. The findings underscore a significant gap in current security tooling and practices, emphasizing the importance of integrating dynamic secrets detection into continuous security workflows.

For European organizations, the exposure of secrets embedded in JavaScript bundles can have severe consequences. Unauthorized access to code repositories (e.g., GitHub, GitLab) can lead to intellectual property theft, insertion of malicious code, and compromise of CI/CD pipelines, potentially cascading into cloud infrastructure breaches. Exposure of project management API keys and SaaS tokens can reveal sensitive internal project data, customer information, and operational workflows, undermining confidentiality and business integrity. Attackers leveraging these secrets can conduct lateral movement, data exfiltration, and disrupt services, impacting availability and trust. Given the widespread adoption of SPAs and cloud-based SaaS platforms across Europe, many organizations may unknowingly expose critical secrets, increasing their attack surface. The risk is amplified in sectors with stringent data protection requirements, such as finance, healthcare, and government, where breaches can lead to regulatory penalties under GDPR and reputational damage. Additionally, the automation and AI-driven code generation trends may exacerbate the problem by introducing secrets during build processes without adequate controls. Overall, this threat challenges the security posture of European enterprises by exploiting gaps in traditional scanning and development security practices.

European organizations should adopt a multi-layered approach to mitigate this threat effectively. First, integrate dynamic scanning tools capable of spidering SPAs and analyzing JavaScript bundles to detect embedded secrets before deployment. This includes configuring DAST tools with headless browsers and custom scripts to fetch and inspect all frontend resources. Second, enhance shift-left security by expanding SAST and repository scanning rules to cover a broader range of secret patterns and enforce strict code review policies to prevent secret check-ins. Third, implement automated secrets detection in CI/CD pipelines that scan build artifacts and deployment packages for secrets, preventing leaks introduced during build or deployment stages. Fourth, employ runtime monitoring and alerting for suspicious use of API keys and tokens, including anomaly detection on SaaS platforms and cloud services. Fifth, enforce strict secret management practices, such as using environment variables, secret vaults, and ephemeral credentials instead of hardcoding secrets. Finally, conduct regular security awareness training for developers and DevOps teams about the risks of secret exposure and best practices for secure coding and deployment. Tailoring these controls to the organization's application portfolio and digital estate scale will maximize effectiveness.