Our large-scale scan of the npm registry reveals widespread credential leakage in published packages.
We scanned the top 100,000 npm packages and their full version histories. 3,200 packages were found to contain at least one verified secret — including database connection strings, cloud provider keys, and OAuth client secrets. Many of these secrets were active and provided access to production infrastructure.