Why Secrets in JavaScript Bundles are Still Being Missed

Established secrets detection methods (and their limitations)

Leaked API keys are increasingly common, and so are the breaches that follow. Research by Intruder found over 42,000 exposed tokens across 334 secret types when scanning 5 million applications, revealing significant gaps in standard secrets detection.

Traditional approaches like SAST and DAST often miss secrets embedded within JavaScript bundles, leading to exposures with potentially high impact – especially in single-page applications (SPAs). This gap occurs because these scanners don’t fully analyze application front-ends during runtime.

Key Insights

• Intruder’s research revealed over 42,000 exposed secrets in JavaScript bundles from a 5 million app scan, 2026.
• DAST tools, while robust, are often reserved for high-value applications due to cost and configuration overhead.
• Secrets can bypass shift-left safeguards during build and deployment, ending up in front-end code undetected.

Working Example

(No code example in context)

Practical Applications

• Company/system: Intruder implemented SPA spidering for secrets detection, integrating the check into their platform.
• Pitfall: Relying solely on SAST or DAST without SPA-specific scanning can lead to exposed code repository tokens and project management API keys.

References:

• https://thehackernews.com/2026/01/why-secrets-in-javascript-bundles-are.html