Scanning 5M apps uncovered 42K exposed secrets in JavaScript bundles, revealing major gaps in traditional SAST, DAST, and scanner coverage.

The Tidyverse Blog offers insights, tutorials, and updates on the Tidyverse, a collection of R packages for data science and statistical computing. Covering topics such as data manipulation, visualization, and analysis, the blog provides resources for R developers looking to leverage the power of the Tidyverse for their data projects. Developers can learn how to use Tidyverse packages effectively to clean, transform, and analyze data in R.

The Hacker News

Research scanning 5 million applications uncovered over 42,000 exposed secrets in JavaScript bundles, revealing critical gaps in traditional security tools. SAST, DAST, and infrastructure scanners often miss secrets embedded in front-end JavaScript files because they don't spider single-page applications or scan bundled assets. The exposed tokens included 688 code repository credentials (GitHub, GitLab), project management API keys, and webhooks for platforms like Slack and Teams. Many tokens were still active and granted full access to private repositories, CI/CD pipelines, and sensitive organizational data. The findings demonstrate that shift-left security controls alone are insufficient, as secrets introduced during build and deployment can bypass early-stage safeguards and reach production in front-end code.

Why Secrets in JavaScript Bundles are Still Being Missed

Established secrets detection methods (and their limitations) #

Building a secrets detection check for JavaScript bundles #