Source map exposure → API key leak → cloud takeover

§ Context

Assumed environment: SPA built with a bundler that publishes source maps to the static origin in production. Developers committed at least one cloud credential into source.

§ Steps

1. 01
   Exfil / pivot via the trusted keyExfiltration

   T1041— Exfiltration Over C2 Channel
2. 02
   Authenticate to the third-party / cloud APIInitial Access

   T1078— Valid Accounts
3. 03
   Spider JS bundlesReconnaissance

   W-RECON-DIRBRUTE— Directory & File Bruteforce
4. 04
   Grep for keys (AWS, Stripe, SendGrid…)Reconnaissance

   W-RECON-JS-SECRETS— Hardcoded Secrets in JS Bundles
5. 05
   Reconstruct un-minified sourceReconnaissance

   W-RECON-SOURCEMAP— JavaScript Source Map Exposure
6. 06
   Download *.js.map filesReconnaissance

   W-RECON-SOURCEMAP— JavaScript Source Map Exposure

§ References

• T1041Exfiltration Over C2 Channel
• T1078Valid Accounts

§ Frequently asked

What is the "Source map exposure → API key leak → cloud takeover" attack path?

Public *.js.map files reveal un-minified source and inline-committed API keys (cloud provider, third-party services). Use the keys directly. It chains 6 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Exfil / pivot via the trusted key (T1041) — a exfiltration primitive. Assumed environment: SPA built with a bundler that publishes source maps to the static origin in production.

What is the final impact of this kill-chain?

The final step lands on Download *.js.map files (W-RECON-SOURCEMAP), which falls under Reconnaissance. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques2

  Vesting beneficiary replace → silently drain stream

  Bug in a custom vesting contract allows anyone to call setBeneficiary on existing schedules. Replace beneficiary with attacker address; legitimate token stream now flows to attacker until released funds are noticed.

• Shared techniques2

  Apple Pay Express Transit relay → high-value contactless fraud

  Specific configuration (Express Transit + Visa) allowed contactless transactions over £1k without unlock or per-tx auth. Two devices relayed the wallet from victim's pocket to a real terminal.

• Shared techniques2

  Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)

  Wide SMS phishing campaign targeting employees of ~130 organisations with a single phishlet that captures Okta credentials + push approval. Mass automated logins to Twilio, MailChimp, DoorDash et al.

• Shared techniques2

  Insider admin panel coercion → mass account takeover (Twitter 2020)

  Identify employees with access to an internal admin panel. SE / coerce one to use the panel to change target accounts' email + 2FA, then take them over.

• Shared techniques2

  ERC-4626 first-depositor inflation → drain new deposits

  Be the first depositor with 1 wei → mint 1 share. Send tokens directly to the vault to inflate share price. Every subsequent depositor's amount, integer-divided by the inflated rate, rounds to zero shares.

• Shared techniques2

  SAML signature wrapping (XSW) → impersonate admin

  Capture a legitimate SAML response. Re-arrange the XML so the IdP's signature still validates against the original assertion, but the SP parses an attacker-injected assertion claiming Admin.