Cyber: What 5 Million Apps Revealed About Secrets In Javascript 2026

Leaked API keys are nothing new, but the scale of the problem in front-end code has been largely a mystery - until now. Intruder’s research team built a new secrets detection method and scanned 5 million applications specifically looking for secrets hidden in JavaScript bundles.

What we found revealed a massive gap in how the industry secures single-page applications.

The results of applying our new detection method at scale were staggering. The output file alone was over 100MB of plain text, containing more than 42,000 exposed tokens across 334 different secret types.

These weren't just low-value test keys or dead tokens. We found active, critical credentials sitting in production code, effectively bypassing the security controls most organizations rely on.

Here is a breakdown of the most critical risks we uncovered.

Standard tools scan your repositories, but they often miss what gets baked into your build.

Intruder inspects your JavaScript bundles to uncover the API keys and credentials hiding in plain sight—finding them before hackers do.

The most impactful exposures were tokens for code repository platforms such as GitHub and GitLab. In total, we found 688 tokens, many of which were still active and gave full access to repositories.

In one case (shown below) a GitLab personal access token was embedded directly in a JavaScript file. The token was scoped to allow access to all private repositories within the organization, including CI/CD pipeline secrets for onward services such as AWS and SSH.

Another significant exposure involved an API key for Linear, a project management application, embedded directly in front-end code:

Source: BleepingComputer