• What 5 Million Apps Revealed About Secrets in JavaScript February 17, 2026 09:40 AM 0 Leaked API keys are nothing new, but the scale of the problem in front-end code has been largely a mystery - until now.Intruder’sresearch team built a new secrets detection method and scanned 5 million applications specifically looking for secrets hidden in JavaScript bundles. • What we found revealed a massive gap in how the industry secures single-page applications. • 42,000 secrets hidden in plain sight The results of applying ournew detection methodat scale were staggering. • The output file alone was over 100MB of plain text, containing more than 42,000 exposed tokens across 334 different secret types. • These weren’t just low-value test keys or dead tokens. • We found active, critical credentials sitting in production code, effectively bypassing the security controls most organizations rely on.
Article Summaries:
- Leaked API keys are nothing new, but the scale of the problem in front-end code has been largely a mystery - until now. Intruder’s research team built a new secrets detection method and scanned 5 million applications specifically looking for secrets hidden in JavaScript bundles. What we found revealed a massive gap in how the industry secures single-page applications. 42,000 secrets hidden in plain sight The results of applying our new detection method at scale were staggering. The output file alone was over 100MB of plain text, containing more than 42,000 exposed tokens across 334 different s
Sources: