Hardcoded Secrets in JS Bundles
Grep JS for API keys, AWS access keys, JWT secrets, internal hostnames — TruffleHog / SecretFinder.
§ Where this technique fits
W-RECON-JS-SECRETS is catalogued under the Reconnaissance tactic of the offensive-security kill-chain. It appears in 4 approved dossiers in the registry, typically at step 3 on average.
§ Dossiers chaining this technique
- step 1 / 5
Dependency confusion → internal CI compromise
Publish a public npm package with the name of a target's private internal dependency at a higher version. CI resolves the public one first and runs install scripts in privileged CI.
- step 3 / 7
Public bucket → CI/CD secret leak → cloud takeover
A public S3 bucket hosts a build artefact containing CI tokens / .env files. Use them to push to the prod CI/CD pipeline and gain a deploy role.
- step 4 / 4
SharePoint / OneDrive public link enumeration → data dump
Bing / Grayhat Warfare reveals corporate SharePoint files shared 'with anyone' — financial docs, contracts, credentials in plaintext, etc.
- step 4 / 6
Source map exposure → API key leak → cloud takeover
Public *.js.map files reveal un-minified source and inline-committed API keys (cloud provider, third-party services). Use the keys directly.
§ What commonly comes next
- 01Valid Accountsseen 2×T1078 · Initial Access
- 02Dependency Confusion (Public ↔ Internal)seen 1×SUP-DEP-CONFUSION · Initial Access