Secrets Detection

Check customer dependencies for leaked secrets (e.g. SSH keys).


Critical secrets are often used for authentication against a system or service. In some instances, these secrets may be accidentally added to a source code repository and subsequently leaked onto the internet.

This heuristic identifies leaked secrets in open source packages by performing a variety of pattern matching operations across the package source code.


The presence of secrets in package does not, on its own, negatively affect the users of the package. However, it may lead to the compromise of infrastructure or services that this package interacts with or otherwise consumes. This may pose a risk to the end user.

Additionally, the presence of secrets may be indicative of poor engineering practices across the open source library.

Risk Domains

Engineering, Author

Impact on the Phylum Package Score

Packages that contain secrets will be lightly penalized.

Examples from the past

In 2020, SolarWinds was hit by a supply chain attack reportedly caused by a password leak to a Github repository. This resulted in malicious software updates being pushed to nearly 18,000 customers.

Did this page help you?