Why Secrets in JavaScript Bundles Are Still Being Missed

The rise of single‑page applications has shifted much of the runtime logic into client‑side JavaScript bundles. While developers focus on protecting server‑side credentials, the build process often injects tokens directly into these bundles, making them publicly downloadable. Traditional shift‑left controls such as SAST or repository scans stop short of the final artifact, leaving a blind spot that attackers can exploit simply by fetching a .js file. As browsers automatically request these assets, any embedded secret becomes instantly exposed to anyone with network access.

Intruder’s research team addressed this blind spot by constructing a scanner that crawls SPAs, renders pages in a headless browser, and parses every JavaScript payload for known secret patterns. Applied to roughly five million applications, the tool extracted more than 100 MB of raw findings, revealing over 42 000 tokens across 334 distinct secret categories. High‑impact leaks included 688 active GitHub/GitLab personal‑access tokens, Linear project‑management keys, and dozens of active Slack, Teams, and Zapier webhooks. The breadth of exposed services demonstrates that bundling secrets is not an isolated mistake but a systemic issue.

Enterprises must extend their security testing beyond source code to the final bundle that reaches users. Automated SPA spidering, combined with comprehensive regex libraries, can surface hidden credentials before deployment. Intruder has now integrated this capability into its platform, enabling continuous monitoring of front‑end assets and rapid remediation of exposed tokens. As AI‑generated code and CI/CD pipelines accelerate, the likelihood of accidental secret inclusion will rise, making proactive bundle inspection a critical component of a modern DevSecOps strategy.