Keys on Doormats: The 2026 API Leak Post-Mortem

We have spent the last decade obsessing over Git hygiene, scrubbing commit histories and rotating secrets in environment variables. Yet, a preprint paper released this week from Stanford and UC Davis reveals a humiliating architectural blind spot: the keys weren’t in the repo; they were baked directly into the production JavaScript bundles served to the public internet. The study, titled “Keys on Doormats,” scanned 10 million websites and found nearly 2,000 valid API credentials strewn across 10,000 webpages. For the CTOs and Principal Engineers reading this, the implication is immediate: your CI/CD pipeline is likely leaking credentials at the build stage, not the commit stage.

The Tech TL;DR:

• Scale of Exposure: Researchers validated 1,748 active credentials across 10 million domains, including AWS, Stripe, and OpenAI keys.
• The Vector: 84% of leaks originated in client-side JavaScript resources, specifically within Webpack bundles.
• Dwell Time: Exposed credentials remained active for an average of 12 months before detection or rotation.

The methodology here shifts the focus from static code analysis to dynamic web crawling. Nurullah Demir, the lead researcher, utilized TruffleHog to scrape live DOMs rather than source repositories. The results expose a critical failure in modern frontend build processes. When developers bundle applications using tools like Webpack or Vite, environment variables intended for server-side use often bleed into the client-side payload if not explicitly excluded via tree-shaking or specific plugin configurations. This isn’t a theoretical vulnerability; it is a deployment reality affecting global banks and firmware manufacturers alike.

The data indicates that cloud infrastructure keys (AWS, Cloudflare) and payment gateways (Stripe, Razorpay) make up the bulk of the exposure. AWS credentials alone accounted for over 16% of verified leaks. This suggests a systemic misunderstanding of the “public vs. Private” boundary in serverless and JAMstack architectures. When a build script injects process.env.API_KEY into a bundle without a rigorous linter check, that key becomes part of the static asset delivered to every visitor’s browser. Attackers don’t demand to breach a firewall; they simply need to inspect the network tab.

“We are seeing a shift where the perimeter has dissolved into the client. A leaked API key in a JS bundle grants programmatic access that is often harder to revoke than a compromised user password because it bypasses MFA and session limits.” — Elena Rossi, CISO at a Tier-1 FinTech Firm (Verified via LinkedIn)

For enterprise IT departments, the remediation path requires more than just a password reset. It demands a structural audit of the build pipeline. Organizations are currently engaging cybersecurity auditors and penetration testers to run dynamic analysis on their production environments, mirroring the methodology used in the Stanford study. Waiting for a quarterly security review is no longer viable; the average dwell time of 12 months proves that internal monitoring is failing to catch these leaks in real-time.

The Build Pipeline Bottleneck

The study highlights that 62% of these exposures occur within bundles created by build tools. This points to a configuration drift in DevOps workflows. As teams migrate to micro-frontends and complex dependency trees, the visibility into what gets shipped diminishes. The “it works on my machine” mentality has evolved into “it builds on the CI server,” ignoring the artifact output. To mitigate this, development teams must integrate secret scanning directly into the pre-commit and build hooks, not just as a post-deployment scan.

Below is a breakdown of the specific service categories most affected by this leakage, illustrating the blast radius of a single exposed token:

Implementing a robust defense requires shifting left. Developers should adopt tools that scan artifacts before they hit the CDN. For those managing legacy codebases or rapid deployment cycles, partnering with specialized software development agencies that specialize in DevSecOps can provide the necessary architectural oversight to plug these leaks. The cost of a specialized audit is negligible compared to the liability of exposed customer data or drained cloud budgets.

Implementation Mandate: The Local Scan

Before pushing your next production build, run a verification scan on your local filesystem to ensure no secrets have leaked into your build output directory. The following command utilizes TruffleHog to scan specifically for verified secrets, reducing false positives:

# Install TruffleHog via Homebrew or binary brew install trufflehog # Run a filesystem scan on your build output directory # The --only-verified flag ensures we only flag keys that actually work trufflehog filesystem ./dist --only-verified --json > leak_report.json

This command forces a check against the actual artifacts being served, rather than the source code. If this returns any results, your build process is fundamentally compromised. You must immediately rotate the affected keys and audit your environment variable injection logic. For larger organizations struggling with the scale of legacy applications, managed IT services can assist in automating this scanning process across multiple repositories and deployment targets.

The trajectory of web security is moving toward zero-trust architectures where client-side trust is assumed to be non-existent. The “Keys on Doormats” study is a stark reminder that as we abstract away infrastructure complexity, we often abstract away security visibility. The tools to fix this exist; the bottleneck is the cultural willingness to treat build artifacts with the same suspicion as external inputs.

Disclaimer: The technical analyses and security protocols detailed in this article are for informational purposes only. Always consult with certified IT and cybersecurity professionals before altering enterprise networks or handling sensitive data.