DEV Community

Кирилл
Кирилл

Posted on

I Scanned 97 Popular Open Source Projects. 23% Had Credentials in Public Code.

#security #opensource #javascript #typescript

Last weekend I ran a static analysis sweep across 50 popular TypeScript and JavaScript repositories — all with 9,000+ GitHub stars.

The results surprised me.

The Numbers

Out of 50 repositories (9,000–10,000 stars each):

Finding Repos Percentage Total
Credentials in public code 14 28% 157
Security-relevant patterns 25 50% 335
Unresolved TODO/FIXME 35 70% 1,015
Fully clean 19 38%

Only 38% of popular projects were fully clean.

Who Was Scanned

microsoft/vscode-copilot-chat (9,859 stars) — 5 credentials in code, 33 security patterns (12 high-severity), 194 TODOs. A single file pythonCookbookData.ts contains 7 eval() calls and 2 os.system() calls.

bluesky-social/atproto (9,336 stars) — 68 credentials. Leader. Default passwords for self-hosted deployment: PASSWORD=\"admin\", PASSWORD=\"changeme\", PASSWORD=\"root\".

aws-amplify/amplify-js (9,581 stars) — 16 credentials, 13 security patterns, 106 TODOs. Amazon's project with significant technical debt.

DouyinFE/semi-design (9,837 stars) — 63 security patterns. Leader in vulnerabilities. ByteDance's UI library with massive innerHTML usage.

highlight/highlight (9,239 stars) — 4 credentials, 41 security patterns. A monitoring platform that needs security monitoring itself.

Clean projects: vercel/serve, microsoft/inshellisense, labs42io/clean-code-typescript, BartoszJarocki/cv, and 15 others passed with zero findings.

Credentials: 28%

157 cases where passwords, API keys, or tokens sit in public repos. Bots scan GitHub every minute and steal keys automatically. Even PASSWORD=\"changeme\" is a risk — attackers know the default.

Security Patterns: 50%

  • innerHTML — most common. semi-design (63), highlight (41), gb-studio (31). Each one is a potential XSS vector.
  • eval() — vscode-copilot-chat has 7 calls in one file.
  • Empty catch blockscatch(e){} = pretend nothing happened. Found everywhere.

TODO Mountain: 70%

1,015 TODOs across 35 repos. Leaders: vscode-copilot-chat (194), keystone (146), amplify-js (106).

What You Can Do

  1. Scan with git-secrets, trufflehog, or gitleaks
  2. Ship .env.example, never .env
  3. Audit your catch blocks
  4. Replace innerHTML with textContent
  5. Track your TODO count

Methodology

50 repos, TypeScript/JavaScript, 9K+ stars. Static regex only. ~15-20% false positive rate. April 2026. No exploits tested.

I run code security audits. Want your codebase scanned? Reach out.

Top comments (0)