A systematic scan of 22 million public Cloud Development Environment (CDE) projects on CodeSandbox, StackBlitz, CodePen, and JSFiddle revealed thousands of live, exposed credentials due to these platforms lacking native secret scanning, push protection, or credential revocation programs. Developers inadvertently paste API keys and tokens into public projects, where they persist as active threats; one high-impact example was a GitHub employee token with write access to the `github/github` repository. The research found CodeSandbox to have the highest density of exposed secrets, with one verified credential for every 1,299 public sandboxes.
New Webinar - Leaked and Still Live: Why Developers Fail to Remediate Exposed Credentials TRUFFLEHOG CUSTOMERS COMPANY RESOURCES LOG IN Contact Us New Webinar - Leaked and Still Live: Why Developers Fail to Remediate Exposed Credentials Ben Zimmermann April 20, 2026 Ben Zimmermann April 20, 2026 TL;DR I scanned 22 million public Cloud Development Environment projects across CodeSandbox, StackBlitz, CodePen, and JSFiddle with TruffleHog, found 8,792 verified, unique secrets, and made over $20,000 in bounties along the way. The most impactful finding was a GitHub employee token with write access to github/github. This guest post byBen Zimmermannwas developed through Truffle Security's ResearchCFP program. Ben is a security researcher focused on credential exposure and secret scanning at scale Prior secret scanning research has heavily focused on Git platforms like GitHub, GitLab, and Bitbucket. But there is an entire class of development platform that has received zero systematic attention: Cloud Development Environments (CDEs). Cloud Development Environments (or CDEs) such as CodeSandbox, StackBlitz, CodePen, and JSFiddle let developers write and run code directly in the browser. They are used for prototyping, learning, sharing demos, and building full applications. Unlike Git platforms, CDEs have no native secret scanning integrations, no push protection, and no partner programs to automatically revoke leaked credentials. When a developer pastes an API key into a public project, it persists unless they manually delete it or change its visibility. A live example: AWS credentials sitting in a public CodeSandbox project. You can view it athttps://codesandbox.io/p/sandbox/jvkfty.Canary tokens used for demonstration. This research set out to answer a simple question: are CDEs leaking credentials at scale? The answer is yes. CodeSandbox stands out with one verified secret for every 1,299 sandboxes. This makes sense: CodeSandbox is the most full-featured of the four platforms, often used for building complete applications with backend services, environment files, and third-party integrations. Developers often treat sandboxes like private workspaces, even when they are publicly accessible. CodePen had the lowest density, which also makes sense. Pens are typically small front-end snippets, less likely to include backend credentials. But at 10 million pens, even a low density produced nearly 1,000 live secrets.