SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
New Zealand

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Cinematic browser shattered glass keys spilling leaked tokens
#
DevOps
#
Cloud Security
#
Application Security

Intruder uncovers 42,000 leaked tokens in web apps

Sat, 10th Jan 2026
Author image
By Joseph Gabriel Lagonsin, News Editor

Cyber security company Intruder has released a new set of secrets detection checks after uncovering tens of thousands of exposed tokens inside JavaScript bundles used by single-page applications.

The London-based exposure management provider said its security research team scanned about 5 million applications using a new spidering-based method and identified more than 42,000 tokens, including highly sensitive development and collaboration credentials. The findings point to a class of leaked secrets that the company says fall outside the reach of many existing security tools.

Intruder's new checks focus on sensitive API keys and tokens embedded in JavaScript bundles that are downloaded to users' browsers as part of modern web applications. These bundles can contain configuration data and hidden credentials that developers did not intend to expose.

The company said the upgraded detection involves systematic crawling of websites. Intruder's scanner traverses application front-ends, collects JavaScript bundles and inspects them for plain-text secrets.

Traditional secrets scanning approaches often rely on searching known file paths or repositories and applying regular expressions to detect key formats. Intruder said this model misses many exposures created by current development and deployment practices, especially in single-page applications that assemble logic in large client-side bundles.

The new checks are available for customers on Intruder's Enterprise plan.

Hidden breach paths

The research project analysed JavaScript bundles across millions of targets and extracted around 100MB of plain text for review. Intruder said this corpus contained over 42,000 tokens across 334 distinct secret types.

The most consequential issues involved access to code hosting and development platforms. The scan identified 688 tokens linked to code repository applications such as GitHub and GitLab. Intruder said many of these tokens remained active at the time of analysis.

Other exposed credentials included project management API tokens, Slack webhooks and various cloud and internal system keys. Such tokens can provide direct access paths into private repositories, CI/CD systems, ticketing platforms and other infrastructure.

Hardcoded or leaked secrets, including API keys, passwords and tokens, are a persistent cause of data breaches. They can remain exposed for long periods, especially when they sit in build artefacts or client-side code that does not fall under standard repository scanning or perimeter monitoring.

The company said its findings highlight how secrets are leaking into production at scale through modern build pipelines. Many organisations rely on virtual machine-based scanning, static application security testing and dynamic application security testing. These tools often focus on infrastructure, code repositories or runtime behaviour and can miss credentials that surface only in compiled client-side bundles.

Gaps in 'shift-left' security

The research also examined how current "shift-left" security approaches perform against this type of risk. Many development teams now run security scans earlier in the software lifecycle and integrate checks into source code management and build systems.

Intruder said early-stage scanning alone leaves gaps for leaked secrets in production. Build steps, packaging processes and third-party integrations can introduce or expose tokens after code review and repository scanning have taken place.

The company said the issue is likely to grow as AI-assisted development speeds up coding and automation across build and deployment pipelines. Faster iteration increases the chances that test keys, temporary tokens or misconfigured credentials remain in artefacts that reach production.

Intruder's work suggests that remote inspection of deployed applications is necessary alongside development-time checks. The firm argues that organisations that do not scan JavaScript bundles and other front-end artefacts lack visibility into a significant and expanding attack vector.

Dan Andrew, Head of Security at Intruder, said the findings exposed a systematic blind spot in many organisations' defences. "This project revealed that there is a major class of leaked secrets weaknesses that are not being handled sufficiently by existing tooling - especially when it comes to secrets used by single-page applications," said Andrew, Head of Security, Intruder.

"Secrets detection appears to be an area that benefits from being hit from all angles, including robust remote scanning that leaves no stone unturned," said Andrew.

The company has published a detailed account of the research, including methodology and an impact breakdown by secret type, in a report on its site. It plans further work on remote secrets detection as more organisations shift workloads and development practices towards single-page applications and automated build pipelines.

Related stories
Capture The Bug adds US tech leaders for North American push
Executive-level CISO titles surge amid rising scope strain
Cyb3r Operations raises $5.4m to tackle cyber risk
Asimily boosts Cisco ISE with new device microsegmentation
Deepfake boom fuels relentless wave of celebrity scams

Top stories

Rubrik launches CXO Visionaries for cyber & AI leaders
Lancom gains AoG status for New Zealand government IT
Dropzone AI hires leaders to drive EMEA & APAC push
Cloudflare: outdated apps stifle APAC AI investment gains
Rubrik unveils sovereign cloud to keep sensitive data local